# NTFS Files

Article detailing the NT File System metadata files and which files are of interest to the Malware Investigator.
© PA Knowledge Ltd | 7Safe Training

NTFS Files

The NT File System is made up of a number of file system metadata files which collectively allow the file system to function. All files including directories are referenced numerically in a relational database called $MFT. The following 3 files are always of interest to the malware investigator:  Name Remarks$MFT Relational database – index of every file $Logfile Transnational logging file recording metadata transactions$Extend\$UsnJrnl:$J Change journal for files

In this course we will take a closer look at the $MFT only. All NTFS files reside in the root of the file system but these files cannot be ordinary accessed without the use of specialist software, such as forensic or disk editing tools. Below is a list of NTFS files for reference: Note the first entry in the$MFT, entry 0, this is actually the $MFT itself! Also note that the parent id for these files is entry 5, which relates to the root directory. The$Extent directory contains optional extensions. Note that not all the optional extensions are detailed.

Note the $Extent directory detailed above. The file referenced within the directory is called$UsnJrnl which incidentally is a zero byte file (it contains no file content). The $UsnJrnl file has a named stream attached to it called$J. This is one of the files of interest to a malware investigator!

You will recall that named streams cannot be navigated to via Windows Explorer. They can however be identified and accessed via a Command Prompt, PowerShell or other third party security, forensic or disk editing tools. To identify any alternate data streams on your computer type Dir /r in your directory of choice.

Remember file system metadata files cannot ordinarily be accessed without specialist tools so simply typing Dir /r in the root of an NTFS volume will not identify the \$J file or any file system metadata named streams!

Interestingly the creation dates of NTFS files actually refers to the date and time the volume commenced creation (formatting).

© PA Knowledge Ltd | 7Safe Training