NTFS Files

NTFS Files

The NT File System is made up of a number of file system metadata files which collectively allow the file system to function. All files including directories are referenced numerically in a relational database called $MFT.

The following 3 files are always of interest to the malware investigator:

In this course we will take a closer look at the $MFT only.

All NTFS files reside in the root of the file system but these files cannot be ordinary accessed without the use of specialist software, such as forensic or disk editing tools.

Below is a list of NTFS files for reference:

Note the first entry in the $MFT, entry 0, this is actually the $MFT itself! Also note that the parent id for these files is entry 5, which relates to the root directory. The $Extent directory contains optional extensions. Note that not all the optional extensions are detailed.

Additional information…

Note the $Extent directory detailed above. The file referenced within the directory is called $UsnJrnl which incidentally is a zero byte file (it contains no file content). The $UsnJrnl file has a named stream attached to it called $J. This is one of the files of interest to a malware investigator!

You will recall that named streams cannot be navigated to via Windows Explorer. They can however be identified and accessed via a Command Prompt, PowerShell or other third party security, forensic or disk editing tools. To identify any alternate data streams on your computer type Dir /r in your directory of choice.

Remember file system metadata files cannot ordinarily be accessed without specialist tools so simply typing Dir /r in the root of an NTFS volume will not identify the $J file or any file system metadata named streams!

Interestingly the creation dates of NTFS files actually refers to the date and time the volume commenced creation (formatting).