# MFT Structure

Article detailing the basics of the NT File System $MFT file segment entry (record) structures. © PA Knowledge Ltd | 7Safe Training$MFT

The $MFT is a relational database which maintains a record of all files (including directories) saved to the file system. Each file will have at least one (sometimes more than one) entry stored within the$MFT.

The technical term for these entries are ‘File Segment Entries’ but these are commonly referred to as ‘MFT records’ within the digital forensic community.

Each MFT record contains all the necessary file system metadata regarding a file such as the file ownership, when it was created, the file size and so on.

An MFT record consists of structured and unstructured data. The structured data relates to the record header which contains information relevant to the actual record. The unstructured data is an area to which attributes can be assigned. The attributes contain all the relevant file metadata.

A linear representation of an MFT record is detailed below:

It can be seen that the first 56 bytes are reserved (48 byte header immediately followed by an 8 byte update sequence array) and the remaining 968 bytes are available to store attributes. Note that 4 attributes are present in the above example (namely 0x10, 0x30, 0x40 and 0x80), together with an end marker (0xFF). The end marker indicates the end of the record attributes.

The MFT record header contains several data fields including flags to determine if the entry relates to a file or a directory, if the entry is in use or can be reused (MFT entries are only marked as deleted and are eventually reused by the file system). The header also contains the MFT record number.

For reference, a snippet of an actual MFT record detailing header information is detailed below:

It can be seen that the header contains 15 data fields. Looking at the header information it can be seen that the entry is in use, it pertains to a file and the MFT record ID is 114,059. Some of these data fields can be used to assist in complex malware investigations when searching for complex malware hiding in plain sight.

© PA Knowledge Ltd | 7Safe Training