£199.99 £139.99 for one year of Unlimited learning. Offer ends on 14 November 2022 at 23:59 (UTC). T&Cs apply

Find out more
MFT Structure
Skip main navigation

MFT Structure

Article detailing the basics of the NT File System $MFT file segment entry (record) structures.
© PA Knowledge Ltd | 7Safe Training

$MFT

The $MFT is a relational database which maintains a record of all files (including directories) saved to the file system. Each file will have at least one (sometimes more than one) entry stored within the $MFT.

The technical term for these entries are ‘File Segment Entries’ but these are commonly referred to as ‘MFT records’ within the digital forensic community.

Each MFT record contains all the necessary file system metadata regarding a file such as the file ownership, when it was created, the file size and so on.

An MFT record consists of structured and unstructured data. The structured data relates to the record header which contains information relevant to the actual record. The unstructured data is an area to which attributes can be assigned. The attributes contain all the relevant file metadata.

A linear representation of an MFT record is detailed below:

Graphic depicting liner representation of $MFT file segment entry.

It can be seen that the first 56 bytes are reserved (48 byte header immediately followed by an 8 byte update sequence array) and the remaining 968 bytes are available to store attributes. Note that 4 attributes are present in the above example (namely 0x10, 0x30, 0x40 and 0x80), together with an end marker (0xFF). The end marker indicates the end of the record attributes.

Additional information…

The MFT record header contains several data fields including flags to determine if the entry relates to a file or a directory, if the entry is in use or can be reused (MFT entries are only marked as deleted and are eventually reused by the file system). The header also contains the MFT record number.

For reference, a snippet of an actual MFT record detailing header information is detailed below:

Screenshot of $MFT file segment entry header.

It can be seen that the header contains 15 data fields. Looking at the header information it can be seen that the entry is in use, it pertains to a file and the MFT record ID is 114,059. Some of these data fields can be used to assist in complex malware investigations when searching for complex malware hiding in plain sight.

© PA Knowledge Ltd | 7Safe Training
This article is from the free online

Introduction to Digital Forensics: Malware Analysis and Investigations

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education