The Master File Table — Deep Analysis

The Master File Table — Deep Analysis

The Master File Table is the single most important forensic artifact in Windows. Every file and directory on an NTFS volume has at least one MFT record — a 1,024-byte structure that contains the file's name, timestamps, size, security descriptor, data content (for small files), and pointers to the clusters where data is stored (for large files). When a file is deleted, the MFT record is not destroyed — it is marked as available for reuse but the metadata persists until the record is reallocated. When a file is renamed, moved, or copied, the MFT record's attributes update in specific patterns that a forensic examiner can reconstruct.

This module takes you inside the MFT record at the binary level. You will read raw hex, understand every byte offset, parse attribute headers, interpret timestamps with nanosecond precision, and correlate MFT data with other artifact sources. By the end, you will be able to open an MFT record in a hex editor and extract more information from it than most practitioners get from their parser output — including information the parser doesn't report.

The module covers MFT record structure (header, fixup array, attribute chain), all forensically relevant attributes ($STANDARD_INFORMATION, $FILE_NAME, $DATA, $INDEX_ROOT, $INDEX_ALLOCATION), MFT entry allocation and sequence numbers, extraction and parsing with KAPE and MFTECmd, timeline construction, timestomping detection through $SI/$FN comparison, deleted file recovery from orphan MFT entries, and advanced edge cases including compressed files, encrypted files, alternate data streams, hard links, and ReFS differences.

Every concept is applied to the three Northgate Engineering investigation scenarios: INC-NE-2026-0915 (insider exfiltration — MFT evidence of file copying patterns), INC-NE-2026-1022 (ransomware — MFT evidence of mass file modification and executable creation), and INC-NE-2026-1130 (access dispute — MFT evidence of file access without modification).