Skip main navigation

NTFS Files

Article detailing the NT File System metadata files and which files are of interest to the Malware Investigator.
© PA Knowledge Ltd | 7Safe Training

NTFS Files

The NT File System is made up of a number of file system metadata files which collectively allow the file system to function. All files including directories are referenced numerically in a relational database called $MFT.

The following 3 files are always of interest to the malware investigator:

Name Remarks
$MFT Relational database – index of every file
$Logfile Transnational logging file recording metadata transactions
$Extend\$UsnJrnl:$J Change journal for files

In this course we will take a closer look at the $MFT only.

All NTFS files reside in the root of the file system but these files cannot be ordinary accessed without the use of specialist software, such as forensic or disk editing tools.

Below is a list of NTFS files for reference:

Image depicting NTFS metadata system files

Note the first entry in the $MFT, entry 0, this is actually the $MFT itself! Also note that the parent id for these files is entry 5, which relates to the root directory. The $Extent directory contains optional extensions. Note that not all the optional extensions are detailed.

Additional information…

Note the $Extent directory detailed above. The file referenced within the directory is called $UsnJrnl which incidentally is a zero byte file (it contains no file content). The $UsnJrnl file has a named stream attached to it called $J. This is one of the files of interest to a malware investigator!

You will recall that named streams cannot be navigated to via Windows Explorer. They can however be identified and accessed via a Command Prompt, PowerShell or other third party security, forensic or disk editing tools. To identify any alternate data streams on your computer type Dir /r in your directory of choice.

Remember file system metadata files cannot ordinarily be accessed without specialist tools so simply typing Dir /r in the root of an NTFS volume will not identify the $J file or any file system metadata named streams!

Interestingly the creation dates of NTFS files actually refers to the date and time the volume commenced creation (formatting).

© PA Knowledge Ltd | 7Safe Training
This article is from the free online

Introduction to Digital Forensics: Malware Analysis and Investigations

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education