In this module

NTFS Architecture for Forensic Examiners

Module 0 · Free

Operational Objective

Every filesystem artifact covered in this course — MFT records, USN Journal entries, $LogFile transactions, $I30 directory indexes, $Recycle.Bin metadata — is generated by NTFS. An examiner who doesn't understand NTFS architecture is interpreting artifacts without understanding the system that created them. When MFTECmd reports a "resident" file, what does that mean and why does it matter forensically? When a file has a "non-resident" $DATA attribute with three data runs, what does that tell you about file fragmentation and recovery potential? When an MFT record has a sequence number of 47, what does that mean about the record's history? These questions cannot be answered by reading tool output — they require understanding the filesystem architecture that produces the output. This subsection provides the NTFS architectural knowledge that underpins every artifact analysis module in this course, focusing specifically on the structures that generate forensic evidence.

Deliverable: Working understanding of NTFS structures that generate forensic artifacts: MFT record layout, attribute types and their forensic significance, cluster allocation and data runs, resident vs non-resident data storage, and the relationship between MFT records, directory indexes, and the change journal. Sufficient depth to interpret raw MFT records in a hex editor and understand what forensic tools are parsing.

Estimated completion: 40 minutes

Figure WF0.3 — NTFS MFT record structure showing the four primary attributes that generate forensic evidence. $STANDARD_INFORMATION timestamps are modifiable by user-mode applications (timestomping risk). $FILE_NAME timestamps are set exclusively by the NTFS driver (forensically reliable). $DATA stores file content either resident in the MFT record or non-resident across disk clusters. $INDEX entries in directories retain deleted filename evidence in slack space.

The Master File Table: one record per file

NTFS organizes all file metadata in the Master File Table — a file that is itself stored on the volume (it is MFT record 0, referencing itself). Every file and directory on an NTFS volume has at least one MFT record. Each record is exactly 1024 bytes on standard NTFS configurations (this size is set at format time and cannot be changed without reformatting).

An MFT record is not a row in a database. It is a binary structure with a fixed-size header followed by a variable number of attributes. The header contains the record's administrative data: the "FILE" signature that identifies a valid record, the sequence number that tracks how many times the record has been reused, the hard link count, the flags that indicate whether the record is in use and whether it represents a directory, and the offset to the first attribute. The attributes contain the file's actual metadata and, for small files, the file content itself.

The relationship between MFT records and files is not always one-to-one. A file with many attributes or a very long filename may require multiple MFT records — a base record and one or more extension records linked by the base record reference. Hard links create multiple $FILE_NAME attributes in the same MFT record (one per link) or reference the same MFT record from multiple directory indexes. Understanding these relationships matters when you encounter an MFT record with an unexpected number of attributes or when a file appears to have contradictory metadata.

Expand for Deeper Context

The MFT grows dynamically as files are created. NTFS reserves a portion of the volume for MFT growth (the MFT Zone, typically 12.5% of the volume by default). When the MFT needs additional space, it allocates clusters from the MFT Zone. If the MFT Zone is exhausted, NTFS allocates from the general free space, which can cause MFT fragmentation. A fragmented MFT is not a forensic concern — tools read it regardless of fragmentation — but it can slow forensic processing of very large volumes.

The MFT does not shrink. Once an MFT record is allocated, it remains allocated even after the file it represented is deleted. Deleted files have their MFT records marked as "not in use" (the in-use flag is cleared), but the record itself — including all attributes, timestamps, and potentially resident file content — remains intact until the record is reallocated to a new file. This is why MFT analysis can recover metadata for deleted files: the record exists, it is marked as free, but its contents have not been zeroed.

On a 256GB SSD with typical enterprise usage, the MFT might contain 2-4 million records. A 1TB drive might have 5-10 million records. Processing this volume of records is why tools like MFTECmd exist — manual hex analysis of millions of records is impractical. But understanding what the tool is parsing across those millions of records — the attribute structure, the timestamp locations, the data run encoding — is what allows you to verify the critical records that support your findings.

Attributes: where forensic evidence lives

Every piece of metadata in an MFT record is stored in an attribute. NTFS defines approximately 17 attribute types, but five are forensically significant.

$STANDARD_INFORMATION (type 0x10) is present in every MFT record. It contains four timestamps (created, modified, MFT entry modified, accessed), file permissions flags, the owner's security ID, and the update sequence number. This is the attribute that MFTECmd's primary timestamp columns come from. Critically for forensic analysis, $SI timestamps can be modified by any process running with write access to the file — including timestomping tools. A user-mode application can call SetFileTime() via the Windows API to set the $SI creation, modification, and access timestamps to any value. The MFT entry modification timestamp updates automatically when the record changes, but some timestomping tools account for this.

$FILE_NAME (type 0x30) contains the filename, the parent directory reference (which MFT record represents the parent directory), the file's size, and — crucially — its own set of four timestamps. The $FN timestamps are set by the NTFS driver when the file is created, and they are updated only in specific circumstances: the $FN creation timestamp is set once at file creation and never changes. The $FN modification timestamp updates when the file's $DATA attribute size changes (not when content changes without size change). The $FN access timestamp is rarely updated due to Windows' default behavior of disabling last access time updates (NtfsDisableLastAccessUpdate). The key forensic principle: $FN timestamps cannot be modified by user-mode applications. The SetFileTime() API modifies $SI timestamps but not $FN timestamps. This makes $FN timestamps the forensically reliable reference point for detecting timestomping.

$DATA (type 0x80) stores the file's content. If the content fits within the MFT record (approximately 700 bytes or less after other attributes are accounted for), it is stored "resident" — the bytes are physically within the MFT record itself. This is forensically significant because resident file content is captured by any tool that extracts the MFT, even if the file has been deleted. A small batch script, a configuration file, a text note — if the content was small enough to be resident and the MFT record hasn't been reallocated, the file content is recoverable from the MFT alone, without examining disk clusters.

If the content exceeds the resident threshold, it is stored "non-resident" — the $DATA attribute contains a data run list that maps logical file offsets to physical disk clusters. Each data run specifies a starting cluster and a length. Multiple data runs indicate file fragmentation. When a non-resident file is deleted, its MFT record is marked as free and its clusters are marked as available in the $Bitmap, but the data in those clusters persists until overwritten. This is the basis for deleted file recovery — and why SSDs with TRIM complicate recovery (TRIM instructs the SSD controller to erase the underlying flash cells for deallocated clusters).

Expand for Deeper Context

Alternate Data Streams (ADS) are additional $DATA attributes with a name. A file can have its default (unnamed) $DATA attribute containing the file's visible content, plus one or more named $DATA attributes containing additional data that is invisible to standard file browsing. The classic forensic example is malware stored in an ADS: legitimate.txt:malware.exe stores malware in a named stream attached to a legitimate text file. The text file's properties, size, and content appear normal. The ADS is only visible through specific tools or commands (dir /r, streams.exe, or PowerShell's Get-Item -Stream *).

ADS have legitimate uses — the Zone.Identifier stream marks files downloaded from the internet, macOS resource forks are stored as ADS when copied to NTFS, and some backup tools use ADS for metadata storage. The forensic concern is that ADS can hide data in plain sight — the file appears benign, but carries hidden content. MFTECmd reports alternate data streams when parsing the MFT, which is one of the reasons MFT analysis catches evidence that simple directory listing misses.

$INDEX_ROOT (type 0x90) and $INDEX_ALLOCATION (type 0xA0) are present in directory MFT records. They implement a B-tree index of the directory's contents — each entry in the index contains the filename, the MFT reference number for the file, and the file's $FILE_NAME timestamps (duplicated from the file's own MFT record for performance). The forensic significance is in the index slack: when a file is deleted from a directory, its index entry is removed from the active B-tree, but the entry often persists in the index's allocated but unused space. This $I30 slack contains the filenames and timestamps of deleted files — evidence that persists independently of the deleted file's MFT record.

Cluster allocation and data recovery

NTFS divides the volume into clusters — fixed-size allocation units typically 4096 bytes (4KB) on modern systems. The $Bitmap file tracks which clusters are in use and which are free. When a file is created, NTFS allocates clusters from the free pool and records the allocation in the file's $DATA attribute as data runs. When a file is deleted, the clusters are marked as free in $Bitmap, but the data in those clusters is not zeroed or overwritten — it persists until another file is allocated those same clusters.

This is the fundamental principle of deleted file recovery on traditional hard drives: the file's data persists in its original clusters until those clusters are reused. The MFT record tells you which clusters the file occupied (if the record hasn't been reallocated), and you can read those clusters directly to recover the content. If the MFT record has been reallocated, file carving techniques can scan unallocated clusters for known file signatures (headers, magic bytes) to recover content without metadata.

SSDs fundamentally change this equation. The TRIM command, enabled by default on Windows since version 7, instructs the SSD controller to erase the flash cells underlying deallocated clusters. After TRIM, the cluster's content is gone — not merely marked as free, but physically erased at the flash level. TRIM execution is asynchronous (the OS sends the TRIM command, the SSD controller executes it at its discretion), so there is a window between deletion and TRIM execution where data may still be recoverable. This window varies from milliseconds to hours depending on the SSD controller and system load. For forensic purposes: on SSDs, treat deleted file content recovery as unreliable. MFT metadata recovery (timestamps, filenames, sizes) is unaffected by TRIM because the MFT is a live file — TRIM only affects deallocated clusters, and the MFT record for a deleted file is in an allocated MFT cluster.

Decision point

During MFT analysis, you find a file with a $DATA attribute marked as resident (file content stored within the MFT record itself, indicating a file smaller than ~700 bytes). The file is C:\ProgramData\Updates\config.dat — a configuration file for one of the attacker's tools. The file was deleted by the attacker, but because the content was resident in the MFT record, the data may still be recoverable even though the file is gone from the filesystem.

Your options: (A) Extract the resident data from the MFT record — even though the file is deleted, the MFT entry may not have been reallocated yet, and the resident data could reveal the attacker's configuration (C2 server addresses, target file paths, encryption keys). (B) Skip the resident data — deleted files are unreliable and the MFT entry may have been partially overwritten.

The correct approach is A. Resident data in unallocated MFT entries is one of the most reliable forms of deleted file recovery — the data is in the MFT record itself, not in clusters that may have been overwritten. If the MFT entry hasn't been reallocated, the resident content is intact. Extract and document it with the caveat that the entry is marked as deleted.

# List files in a directory with their sizes
Get-ChildItem C:\Windows\Temp -File | Where-Object { $_.Length -lt 700 } | 
    Select-Object Name, Length | Sort-Object Length | Format-Table -AutoSize

Try It — Identify Resident vs Non-Resident Files

Open a PowerShell prompt and run the following to find resident files on your system:

Files under approximately 700 bytes are candidates for resident storage in the MFT (the exact threshold depends on how many attributes the MFT record already contains). To confirm residency, you would need to examine the MFT record's $DATA attribute and check the non-resident flag.

Forensic implication: If you extract the $MFT and parse it with MFTECmd, look for the "Resident" column in the output. Files marked as resident have their complete content stored within the MFT record. If those files were deleted and the MFT record hasn't been reallocated, the file content is recoverable from the MFT extraction alone — you don't need the original disk clusters. This is particularly valuable for small forensic artifacts: batch scripts (.bat, .cmd), configuration files (.ini, .conf), small text files (.txt), and registry export fragments (.reg) that attackers may create and delete during an operation.

How MFT records relate to the change journal

The MFT stores the current state of every file. The USN Journal ($UsnJrnl) stores the history of changes to every file. Together, they provide both the "what exists now" and "what happened over time" perspectives that a forensic examination requires.

When a file operation occurs — creation, modification, rename, deletion, security change — NTFS writes two records: it updates the MFT record to reflect the current state, and it appends a USN Journal entry recording the change. The USN entry includes a timestamp, the file's MFT reference number (linking the journal entry to the MFT record), the parent directory's MFT reference number, the reason code (what type of change occurred), and the filename.

This dual recording creates a correlation opportunity that is central to forensic analysis. The MFT tells you the file's current timestamps. The USN Journal tells you when specific changes occurred. If the MFT timestamps have been manipulated (timestomping), the USN Journal entries — which record the actual time each operation occurred — provide independent evidence of the real timeline. If the MFT record has been reallocated (the deleted file's metadata is lost), USN Journal entries may still reference the original file by MFT reference number, providing evidence of operations on a file whose MFT record no longer describes it.

The $LogFile provides a third layer of correlation. It records NTFS transactions at the filesystem driver level — the raw redo/undo operations that implement file creation, modification, and deletion. The $LogFile wraps quickly (typically hours of retention), but during that window, it provides the most granular view of filesystem operations available. When the USN Journal has been cleared by an attacker, the $LogFile may retain evidence of file operations that occurred within its retention window.

Compliance Myth: "NTFS timestamps are reliable evidence of when events occurred"

The myth: File creation and modification timestamps in the MFT accurately record when files were created and modified. These timestamps are maintained by the operating system and cannot be manipulated by users.

The reality: The $STANDARD_INFORMATION timestamps — the ones that Windows Explorer displays and that most tools report as the file's timestamps — are modifiable by any process with write access to the file. The Windows API function SetFileTime() allows any application to set the creation, modification, and access timestamps to arbitrary values. Timestomping tools (SetMACE, PowerShell's (Get-Item file).CreationTime = "01/01/2020", even standard Windows Explorer "Properties" dialog) can change these timestamps without leaving an obvious trace in the MFT record itself. Only the $FILE_NAME attribute timestamps — which are set by the NTFS driver and not accessible through the SetFileTime() API — provide a reliable baseline. And even $FN timestamps have caveats: the $FN modification timestamp updates when the file size changes, and the $FN access timestamp behavior depends on the NtfsDisableLastAccessUpdate registry setting. The forensically sound approach is to treat all timestamps as claims to be verified, not as facts to be accepted.

The NTFS metadata files

NTFS reserves the first 24-27 MFT records for metadata files — special files that implement the filesystem itself. Forensic examiners encounter these regularly because they are the source of key artifacts:

Record 0 ($MFT) is the MFT itself — the file you extract to analyze all other file metadata. Record 2 ($LogFile) is the transaction log. Record 6 ($Bitmap) tracks cluster allocation. Record 8 ($BadClus) tracks bad clusters (sometimes abused by attackers to hide data in clusters marked as "bad"). Record 9 ($Secure) stores security descriptors. Record 11 ($Extend) is the directory containing extended metadata files, including the USN Journal ($UsnJrnl, which is actually $Extend\$UsnJrnl).

You don't need to memorize these record numbers — MFTECmd identifies them correctly. But understanding that these metadata files are stored as MFT records in the same MFT that stores user files helps you understand why the MFT is self-contained: extracting the $MFT file gives you access to every file's metadata, including the metadata that describes the MFT itself.

Troubleshooting

"I understand databases and file systems generally — why do I need to learn NTFS internals specifically?" Because the forensic artifacts you analyze are NTFS data structures. When MFTECmd reports a "sequence number" of 47, that has specific forensic meaning — the MFT record has been reused 47 times, which means 46 previous files occupied that record before the current one. When it reports "non-resident" data with a specific data run, that tells you exactly which disk clusters to examine for file content recovery. Without NTFS knowledge, these are opaque values. With it, they are forensic evidence.

"Modern forensic tools abstract all of this away." They abstract the parsing away — which is their purpose. They do not abstract the interpretation away. The tool gives you values. You must determine what those values mean for your investigation, whether they are reliable for this specific evidence, and whether they could have been manipulated. That determination requires understanding the NTFS structures that produced those values.

"Does any of this apply to ReFS?" ReFS (Resilient File System) is used on some Windows Server volumes, particularly Storage Spaces Direct. ReFS has a fundamentally different architecture — no MFT, different metadata structures, different timestamp handling. Forensic tool support for ReFS is limited compared to NTFS. This course focuses exclusively on NTFS because it is the filesystem on virtually every Windows workstation, every Windows laptop, every Windows Server boot volume, and every Windows forensic image you will encounter in practice. ReFS forensics is a specialized topic that may be covered in future courses.

Operational Artifact — NTFS Quick Reference for Forensic Examiners

MFT record size: 1024 bytes (standard). Cluster size: 4096 bytes (typical). Key attribute types: 0x10 $STANDARD_INFORMATION (timestamps, permissions — user-modifiable), 0x30 $FILE_NAME (filename, parent ref, timestamps — NTFS-driver only), 0x80 $DATA (file content — resident if <~700 bytes, non-resident with data runs if larger), 0x90/$A0 $INDEX_ROOT/$INDEX_ALLOCATION (directory B-tree — slack contains deleted entries). Key metadata files: Record 0 = $MFT, Record 2 = $LogFile, Record 6 = $Bitmap, $Extend\$UsnJrnl = change journal. Timestamp reliability hierarchy: $FILE_NAME Created > $FILE_NAME Modified > $STANDARD_INFORMATION timestamps (all four are user-modifiable). Data recovery on HDD: Possible until clusters are reallocated. Data recovery on SSD: Unreliable after TRIM executes. MFT metadata recovery: Possible regardless of drive type until MFT record is reallocated.

A forensic examiner extracts the $MFT from a suspect's Windows 11 workstation (256GB NVMe SSD). MFTECmd reports an MFT record for a file named "exfil_staging.7z" with the following properties: In Use = FALSE, Sequence Number = 3, $SI Created = 2026-01-15 09:00:00, $FN Created = 2026-03-28 14:22:18, $DATA = Non-Resident (3 data runs, total 847MB). The examiner wants to recover the file's content. What is the correct assessment?

The file content is fully recoverable because the MFT record still contains the data run information pointing to the original clusters. The examiner should follow the data runs and read the cluster content — the file will be intact because MFT records for deleted files preserve all original data.

The file content is likely unrecoverable or partially recoverable. Although the MFT record preserves the data run information (which clusters the file occupied), the system is an NVMe SSD with TRIM enabled by default. TRIM has almost certainly erased the flash cells for the deallocated clusters since the file was deleted. The MFT metadata (filename, timestamps, size, data run locations) is intact because the MFT record hasn't been reallocated (In Use = FALSE, Sequence Number = 3 means only 2 reuses). The $SI/$FN timestamp discrepancy also indicates timestomping — the $SI Created date was backdated to January while the $FN Created shows the actual creation in March.

The Sequence Number of 3 means this MFT record has been reused 3 times, so the current metadata is unreliable — it may be partially overwritten by a subsequent file's attributes. The examiner should look for the original record in Volume Shadow Copies instead.

The file is resident (stored within the MFT record) because the MFT record is 1024 bytes and can store small files. Since the record is intact, the file content is recoverable from the MFT extraction without needing to read disk clusters.

You've built the foundations of artifact-level forensic analysis.

WF0 gave you the taxonomy, NTFS architecture, and the five-step methodology. WF1 took you inside the MFT at the binary level — every attribute, every timestamp, every edge case. From here, every artifact category gets the same raw-first treatment.

WF2–WF10: every major Windows artifact decoded at binary level — USN Journal, Prefetch, Amcache, Shimcache, ShellBags, LNK, Jump Lists, SRUM, Event Logs, and the Registry hives
INC-NE-2026-0915 (WF13) — Insider data exfiltration capstone. Work the complete investigation from USB history to OneDrive exfiltration evidence
INC-NE-2026-1022 (WF14) — Ransomware capstone. Three-host triage (FIN01 → IT03 → FS01) across the 72-hour attack chain
The lab pack — 25+ realistic evidence files in 10 formats, simulated KAPE triage pre-populated, both capstones deployable to your own VM
Anti-forensic detection methodology — defeat timestomping, log clearing, and Prefetch deletion with cross-artifact correlation

Unlock with Specialist — £25/mo See Full Syllabus

Cancel anytime

← Previous Next →