MFT Parse

Master File Table analysis and viewing

View attributes from a sector view
With NTFS recovery and analysis, understanding the MFT is extremely important. To assist with this, CnW data
recovery software will high light fields when a MFT sector is displayed using view sector. MFT sectors can also be viewed by double clicking on the sector number within the log function. A final way to find an MFT sector is from the NTFS recover options menu. By clicking on the MFT sector box, the first MFT will be displayed.

The function works on all versions of CnW, including the free demo, download now.



Hover with the mouse to decode fields
When the mouse pointer is set over a field, the tool tip will describe the field contents. The example above shows the file modification date within the Standard Attribute header.

An MFT always starts with a header, FILE followed by either * or 0 which is the pointer to the fixup bytes. XP systems always use the value 0x30 (‘0’). All values are little endian

After the header are a series of records which always start with a 4 byte number, and then a 4 byte length. The record types are

0x10 Standard Attribute Header
0x20 Non resident pointers
0x30 File name
0x50 Security descriptor
0x60 Volume name
0x80 Data run pointers and file size
0xA0 Index allocation
0xB0 Bitmap
0xD0 EA information
0xE0 EA
0xF0 Property Set
0x100 Logged utility stream

For the main header, typically the first 0x38 bytes, the following fields are displayed

MFT header pointer to fix up : 0x30
Fix up count : 03
$Logfile sequence number
Number of times MFT has been reused
Hard link count
Real size of MFT record
Allocated size of MFT record
MFT value : 0x00 - this is the reference of the MFT in the $MFT file
Status flag indicating that theMFT is for a file or directory, and if used or deleted
Fix up value, and it verifies that the value in offset 0x1fe and 0x1ff is correct, or incorrect
For standard Information, record type 0x10 the following fields are displayed
Creation date
File modified date
MFT changed time
File read time
File sttribute, such as Read Only, Compressed, Hidden
For File name record type 0x30
Creation date
File modified date
MFT changed time
File read time
For data run record type 0x80 and 0xA0
Offset to data runs
Allocated size of file
Real size of file
Initialised size of data stream
Cluster start of data runs
Length of first data run in clusters

This list is not complete and will be added to in near future releases, as will decoding of other popular sector types.