Skip main navigation

New offer! Get 30% off one whole year of Unlimited learning. Subscribe for just £249.99 £174.99. New subscribers only. T&Cs apply

Find out more

NTFS Files

Article detailing the NT File System metadata files and which files are of interest to the Malware Investigator.

NTFS Files

The NT File System is made up of a number of file system metadata files which collectively allow the file system to function. All files including directories are referenced numerically in a relational database called $MFT.

The following 3 files are always of interest to the malware investigator:

Name Remarks
$MFT Relational database – index of every file
$Logfile Transnational logging file recording metadata transactions
$Extend\$UsnJrnl:$J Change journal for files

In this course we will take a closer look at the $MFT only.

All NTFS files reside in the root of the file system but these files cannot be ordinary accessed without the use of specialist software, such as forensic or disk editing tools.

Below is a list of NTFS files for reference:

Image depicting NTFS metadata system files

Note the first entry in the $MFT, entry 0, this is actually the $MFT itself! Also note that the parent id for these files is entry 5, which relates to the root directory. The $Extent directory contains optional extensions. Note that not all the optional extensions are detailed.

Additional information…

Note the $Extent directory detailed above. The file referenced within the directory is called $UsnJrnl which incidentally is a zero byte file (it contains no file content). The $UsnJrnl file has a named stream attached to it called $J. This is one of the files of interest to a malware investigator!

You will recall that named streams cannot be navigated to via Windows Explorer. They can however be identified and accessed via a Command Prompt, PowerShell or other third party security, forensic or disk editing tools. To identify any alternate data streams on your computer type Dir /r in your directory of choice.

Remember file system metadata files cannot ordinarily be accessed without specialist tools so simply typing Dir /r in the root of an NTFS volume will not identify the $J file or any file system metadata named streams!

Interestingly the creation dates of NTFS files actually refers to the date and time the volume commenced creation (formatting).

© PA Knowledge Ltd | 7Safe Training
This article is from the free online

Introduction to Digital Forensics: Malware Analysis and Investigations

Created by
FutureLearn - Learning For Life

Reach your personal and professional goals

Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.

Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.

Start Learning now