Home

The $MFT files is a list of all files on the pcurrent disk (or partition).  The structure of each MFT record is well documented, but conatins many binary numbers and so can be difficult to interpret.  CnW can be used to view an MFT sector, and when the mouse pointer is held over any part of the hex dump, appropiate fields will be explained.  This will include file sizes, dates, as well attributes and pointers.

The same information will be stored in the log when a file is recovered, but the manual mode will assist with forensic investigation down the level of bits and bytes within the MFT record.

It can be seen in the screen dump above that the cursor is over the File modified date field, and so displays date and time.

The main sections of the MFT are all decoded, as follows

• 0x10 Standard Attribute Header
• 0x20 Non resident pointers
• 0x30 File name
• 0x50 Security descriptor
• 0x60 Volume name
• 0x80 Data run pointers and file size
• 0xA0 Index allocation
• 0xB0 Bitmap
• 0xD0 EA information
• 0xE0 EA
• 0xF0 Property Set
• 0x100 Logged utility stream

For the main header, typically the first 0x38 bytes, the following fields are displayed

• MFT header pointer to fix up : 0x30
• Fix up count : 03
• $Logfile sequence number
• Number of times MFT has been reused
• Hard link count
• Real size of MFT record
• Allocated size of MFT record
• MFT value : 0x00   - this is the reference of the MFT in the $MFT file
• Status flag indicating that theMFT is for a file or directory, and if used or deleted
• Fix up value, and it verifies that the value in offset 0x1fe and 0x1ff is correct, or incorrect

For standard Information, record type 0x10 the following fields are displayed

• Creation date
• File modified date
• MFT changed time
• File read time 
• File sttribute, such as Read Only, Compressed, Hidden

For File name record type 0x30

• Creation date
• File modified date
• MFT changed time
• File read time 

For data run  record type 0x80 and 0xA0

• Offset to data runs
• Allocated size of file
• Real size of file
• Initialised size of data stream
• Cluster start of data runs
• Length of first data run in clusters - only the first is currently expanded