Skip main navigation

MFT Structure

Article detailing the basics of the NT File System $MFT file segment entry (record) structures.
© PA Knowledge Ltd | 7Safe Training


The $MFT is a relational database which maintains a record of all files (including directories) saved to the file system. Each file will have at least one (sometimes more than one) entry stored within the $MFT.

The technical term for these entries are ‘File Segment Entries’ but these are commonly referred to as ‘MFT records’ within the digital forensic community.

Each MFT record contains all the necessary file system metadata regarding a file such as the file ownership, when it was created, the file size and so on.

An MFT record consists of structured and unstructured data. The structured data relates to the record header which contains information relevant to the actual record. The unstructured data is an area to which attributes can be assigned. The attributes contain all the relevant file metadata.

A linear representation of an MFT record is detailed below:

Graphic depicting liner representation of $MFT file segment entry.

It can be seen that the first 56 bytes are reserved (48 byte header immediately followed by an 8 byte update sequence array) and the remaining 968 bytes are available to store attributes. Note that 4 attributes are present in the above example (namely 0x10, 0x30, 0x40 and 0x80), together with an end marker (0xFF). The end marker indicates the end of the record attributes.

Additional information…

The MFT record header contains several data fields including flags to determine if the entry relates to a file or a directory, if the entry is in use or can be reused (MFT entries are only marked as deleted and are eventually reused by the file system). The header also contains the MFT record number.

For reference, a snippet of an actual MFT record detailing header information is detailed below:

Screenshot of $MFT file segment entry header.

It can be seen that the header contains 15 data fields. Looking at the header information it can be seen that the entry is in use, it pertains to a file and the MFT record ID is 114,059. Some of these data fields can be used to assist in complex malware investigations when searching for complex malware hiding in plain sight.

© PA Knowledge Ltd | 7Safe Training
This article is from the free online

Introduction to Digital Forensics: Malware Analysis and Investigations

Created by
FutureLearn - Learning For Life

Reach your personal and professional goals

Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.

Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.

Start Learning now