Sign In
In this module

MFT Timeline Construction

14 hours · Module 1 · Free
Operational Objective
A parsed MFT gives you metadata for every file on the volume — but metadata alone does not tell the story of what happened. An investigation requires a timeline: a chronological sequence of events that reconstructs the attacker's actions, the insider's behavior, or the sequence of file operations that proves or disproves a claim. Building a forensic timeline from MFT data requires understanding which timestamps correspond to which events, how to distinguish file creation from file copy from file move from file rename, how to handle the eight different timestamps per file (four $SI, four $FN), and how to use the 100-nanosecond precision of FILETIME to resolve events that occurred within the same second. This subsection teaches MFT-based timeline construction — the specific timestamp patterns that identify each type of file operation, the methodology for building a chronological narrative from hundreds of thousands of timestamp entries, and the filtering and correlation techniques that separate signal from noise.
Deliverable: Ability to construct a forensic filesystem timeline from MFT data, identify file operation types (creation, modification, copy, move, rename, deletion) from their characteristic timestamp patterns, use nanosecond precision to sequence events within the same second, and produce a timeline that supports investigative conclusions with documented evidence for each event.
Estimated completion: 40 minutes
FILE OPERATION TIMESTAMP PATTERNS IN THE MFT NEW FILE CREATION $SI: C=M=E=A (all four identical, set to creation time) $FN: C=M=E=A (all four identical, matching $SI) All 8 timestamps match — file has never been modified after creation FILE MODIFICATION (data write) $SI: C=original, M=E=edit time, A=varies $FN: C=original, M may update, E may update, A=varies $SI M > $SI C confirms data was written after creation FILE COPY (same volume) $SI: C=copy time, M=original M, E=copy time, A=copy time $FN: C=copy time, M=copy time, E=copy time, A=copy time Key: $SI M is OLDER than $SI C — Modified predates Created (copy indicator) FILE MOVE (same volume) $SI: unchanged (same MFT entry, same timestamps) $FN: parent reference updated, $FN timestamps may update No new MFT entry — move is a metadata-only operation FILE RENAME $SI: E updated to rename time, C and M unchanged $FN: new $FN attribute with new name, old $FN removed $SI E > $SI M without data change = metadata-only update (rename) FILE COPY (cross-volume) $SI: C=copy time, M=original M (preserved), E=copy time $FN: all four = copy time (new MFT entry on target volume) Same pattern as same-volume copy from destination perspective THE COPY INDICATOR: $SI MODIFIED EARLIER THAN $SI CREATED When $SI Modified < $SI Created, the file was copied — the Modified timestamp was inherited from the source file (preserving the original edit date) while the Created timestamp reflects the copy operation. This pattern does not occur naturally on files created in place.

Figure WF1.8 — Timestamp patterns for each file operation type. The copy indicator ($SI Modified earlier than $SI Created) is the most forensically significant pattern — it proves a file was copied from another location, which is central to data exfiltration and malware staging investigations.

The copy indicator — $SI Modified before $SI Created

The single most useful timestamp pattern in MFT forensics is the copy indicator: when a file's $SI Modified timestamp is earlier than its $SI Created timestamp. Under normal file creation, all four $SI timestamps are set to the current time — Created and Modified are identical. When a file is subsequently edited, Modified updates to the edit time (later than Created). Modified is always equal to or later than Created for files created in place.

When a file is copied, Windows creates a new MFT entry on the destination with a new $SI Created timestamp (the time of the copy operation). But Windows preserves the source file's $SI Modified timestamp on the destination — so the user sees the "original" last-modified date in Explorer, not the copy date. This creates a temporal inversion: $SI Modified is earlier than $SI Created, which cannot happen naturally.

In the insider threat scenario (INC-NE-2026-0915), the departing engineer copied files from a network share to a local staging directory before transferring to USB. Every copied file has the copy indicator: $SI Modified reflects when the file was last edited on the network share (potentially months or years ago), and $SI Created reflects when the copy was made (during the investigation window). By filtering MFTECmd output for records where Created0x10 > LastModified0x10, the examiner identifies every file that was copied to the workstation — the complete list of exfiltration candidates.

The copy indicator has limits. If the source file was created and never modified (Modified = Created on the source), the copy does not produce a temporal inversion on the destination — both Created and Modified on the destination are the copy time, identical to a newly created file. Also, some applications modify the Created timestamp after copy (certain backup tools, file managers), which can mask the copy indicator. But for the majority of document and data files, the copy indicator is reliable and forensically powerful.

Building the timeline

An MFT-based filesystem timeline is constructed by extracting timestamp events from MFTECmd output and ordering them chronologically. Each MFT entry produces up to eight timestamp events (four $SI, four $FN), and each event represents a specific type of activity on the file.

The practical approach is not to timeline all eight timestamps for all files — that would produce millions of events on a typical volume. Instead, focus on the timestamps that answer the investigation question:

For data exfiltration investigations: Focus on $SI Created timestamps for files in the suspect's directories, USB mount points, and cloud sync folders. The $SI Created timestamp on the destination shows when each file was copied. Filter for the investigation time window and sort chronologically to reconstruct the copying sequence.

For malware deployment investigations: Focus on $SI Created timestamps for executables, scripts, and DLLs in temporary directories, ProgramData, and non-standard locations. Cross-reference with $FN Created to detect timestomping. The $FN Created timestamps provide the real deployment timeline.

For file modification investigations: Focus on $SI Modified timestamps to identify when files were last edited. Correlate with Prefetch data (which application was running at that time) and logon events (which user was logged in).

For deletion investigations: Use the MFTECmd output filtered for InUse = False (deleted entries). The $SI Entry Modified timestamp on a deleted record often reflects the deletion time (because the deletion operation updates the MFT record's metadata). Correlate with USN Journal entries (WF2) for exact deletion timestamps.

Compliance Myth: "Windows timestamps are unreliable because the user can change the system clock"
Clock manipulation is theoretically possible but forensically detectable. If a user changes the system clock before performing file operations, the timestamps reflect the wrong time. However, clock changes are logged in the Windows Event Log (Event ID 4616 in Security log — system time change). Clock changes also create temporal anomalies across all artifacts: files created during the clock-altered period have timestamps inconsistent with Event Log entries, Prefetch timestamps, USN Journal entries, and authentication logs. Additionally, domain-joined computers synchronize with domain controllers via NTP, and off-domain machines sync with time.windows.com — clock drift beyond a few minutes is corrected automatically. An examiner who correlates MFT timestamps against multiple independent time sources (Event Logs, Prefetch, USN Journal, authentication events) can detect clock manipulation and determine the real time of events. Single-artifact analysis is vulnerable to clock manipulation. Multi-artifact correlation is resilient.

Nanosecond precision for event sequencing

FILETIME's 100-nanosecond resolution becomes forensically important when multiple events occur within the same second. A file copy operation that processes 50 files might complete in 3 seconds — the Created timestamps on the destination files span a 3-second window, and the nanosecond precision allows the examiner to determine the exact copy order.

In MFTECmd output, timestamps are displayed with seven decimal places: 2026-03-18T02:14:33.1234567. Each digit represents 100-nanosecond precision. Two files with Created timestamps of .1234567 and .1234890 were created 32.3 microseconds apart — the first file was created before the second.

This precision is useful for reconstructing rapid automated operations. A ransomware encrypting files produces a sequence of $SI Modified timestamps (one per encrypted file) that shows the encryption progression — which directory was encrypted first, which was encrypted last, and the encryption speed (files per second). An automated exfiltration tool copying files produces a sequence of $SI Created timestamps on the destination that shows the copy order and speed.

The precision also matters for timestomping detection. As discussed in WF1.2, timestomping tools that set timestamps via SetFileTime() typically produce zero fractional seconds or round to milliseconds. A file with Created0x10 ending in .0000000 surrounded by files with full nanosecond precision is a candidate for timestamp manipulation.

Decision point

You are building a timeline for the ransomware scenario (INC-NE-2026-1022). You find 2,847 files with $SI Modified timestamps within a 4-minute window (02:14:00 to 02:18:00 on March 18, 2026). The files are spread across 12 directories. The $SI Modified timestamps have full nanosecond precision and increase monotonically — each file's Modified timestamp is slightly later than the previous one, with consistent intervals of approximately 85 milliseconds between files.

Your options: (A) These are the encrypted files — the ransomware modified each file's data (replacing it with encrypted content), and the Modified timestamps record the encryption time for each file. The 85ms interval indicates the encryption speed. Build the timeline showing encryption progression across the 12 directories. (B) These could be legitimate batch operations (a backup, a migration, a software deployment). Verify by examining the file content and the file extensions — encrypted files typically have modified extensions (.encrypted, .locked, .CHAIN-MESH) or encrypted content (high-entropy data).

The correct approach is A with verification from B. The monotonically increasing timestamps with consistent intervals are characteristic of automated file processing — no human operates this consistently. But automated operations include legitimate processes. Verify by checking file extensions (ransomware often renames), file content entropy (encrypted data has near-maximum entropy), and correlate with Event Log entries (ransomware often creates services or scheduled tasks) and Prefetch entries (the ransomware executable) in the same time window. The MFT timeline identifies the WHEN. Other artifacts confirm the WHAT.

Bodyfile output for super timelines

MFTECmd can produce bodyfile format output — a pipe-delimited text format compatible with the Sleuth Kit's mactime tool and with Plaso for super timeline creation. The bodyfile format outputs one line per timestamp event, with fields for: MD5 (blank for MFT-only output), filename, inode (MFT entry number), mode, UID, GID, size, accessed time, modified time, changed time (entry modified), and created time.

The command to generate bodyfile output:

MFTECmd.exe -f "$MFT" --body "D:\Analysis" --bodyf "mft_body.txt" --bdl C:

The --bdl C: flag sets the drive letter prefix so that paths in the bodyfile show C:\Users\... instead of \Users\.... The bodyfile can then be processed with mactime to produce a sorted timeline, or ingested into Plaso alongside other artifact sources for a comprehensive super timeline (covered in WF9).

For MFT-only analysis (before incorporating other artifact sources), the bodyfile-to-mactime workflow produces a chronological listing of all file creation, modification, access, and metadata change events across the entire volume — a complete filesystem activity history. This is the starting point for identifying time windows of interest, after which you focus on specific files and directories for detailed analysis.

Try it: Build a focused MFT timeline

Using your MFTECmd output from the WF1.7 exercise, build a timeline for a specific directory and time window.

1. In Timeline Explorer, filter the MFTECmd output to a specific directory of interest (use the ParentPath column). Choose the user's Desktop, Downloads, or a project folder. 2. Sort by Created0x10 (ascending) to see files in creation order. 3. Identify any files where LastModified0x10 is earlier than Created0x10 (the copy indicator). These files were copied from another location. Note the copy timestamps and the original modification dates. 4. Identify any clusters of file creation activity — files created within minutes of each other, which may indicate a batch operation (copy, extraction, download). 5. Check for files with zero fractional seconds on Created0x10 but non-zero on Created0x30. These are timestomping candidates. 6. Produce a brief timeline narrative: "Between [time] and [time], [N] files were [created/copied/modified] in [directory]. The timestamp patterns indicate [operation type]. Files of interest include [list]."

This exercise builds the skill of converting raw MFTECmd data into an investigative narrative — the form your findings will take in a forensic report.

Timeline limitations and corroboration

An MFT-only timeline has inherent limitations. The MFT records file creation, modification, and metadata changes — but it does not record which user performed the operation, which application was used, or what the intent was. The MFT does not record file reads that don't update the Accessed timestamp (which is most reads on Windows 10/11 with disabled last access updates). The MFT does not record failed operations (a user who tried to copy a file but was denied by permissions).

These gaps are filled by other artifact sources: USN Journal (WF2) provides a more complete record of file operations including renames and deletions with timestamps independent of the MFT. Prefetch (WF3) shows which applications were running during the timeline window. ShellBags and LNK files (WF4) show user interaction with files and folders. Event Logs (WF6) show authentication, process creation, and system events. The MFT timeline is the skeleton — other artifacts add the flesh.

For the MFT-only timeline to be forensically defensible, document its limitations explicitly in your report. State what the MFT timeline shows (file creation, modification, copy, deletion events) and what it does not show (user attribution, application used, read-only access). When your conclusions require information beyond what the MFT provides, cite the corroborating artifact source explicitly. "The MFT shows the file was created at 02:14:33. The Prefetch data shows the ransomware executable ran at 02:14:30. The Event Log shows the service was created at 02:14:28. These three independent sources corroborate that the ransomware deployment sequence began at approximately 02:14:28."

You are analyzing MFT data for a suspected insider threat. You find 23 files in a directory called "USB_Staging" with the following pattern: all 23 files have $SI Created timestamps within a 45-second window on March 5, 2026, and all 23 have $SI Modified timestamps ranging from January through February 2026 (before the Created timestamps). What does this pattern indicate?
The files were created in January–February and moved to the USB_Staging directory on March 5, which updated the Created timestamps but preserved Modified. This is consistent with a legitimate file reorganization.
All 23 files were copied to the USB_Staging directory within a 45-second window on March 5, 2026. The $SI Modified timestamps (January–February) are inherited from the source files — these are the dates the files were last edited at their original locations. The $SI Created timestamps (all within 45 seconds on March 5) reflect when the copies were made. The copy indicator ($SI Modified before $SI Created) is present on all 23 files. The 45-second window and the directory name "USB_Staging" suggest deliberate bulk copying for exfiltration preparation. Correlate with USB device connection events and USN Journal entries to confirm the exfiltration.
The timestamps are inconsistent because the system clock was changed — the January–February Modified dates and March Created dates cannot both be correct. Investigate clock manipulation.
The files were downloaded from a web source on March 5, and the Modified timestamps reflect the server-side last-modified dates. This is how browsers preserve original modification dates on downloads.
Operational Artifact — MFT Timeline Construction Methodology
This subsection establishes the methodology for constructing forensic timelines from MFT data. The key techniques are: the copy indicator ($SI Modified before $SI Created) to identify copied files, nanosecond precision for sequencing rapid events, bodyfile generation for mactime/Plaso integration, and focused filtering by directory and time window to isolate relevant events from volume-wide noise. When documenting MFT timelines in forensic reports, always specify the timestamp source ($SI or $FN), the precision level, the operation type inferred from the pattern, and any limitations or alternative explanations. MFT timelines are strongest when corroborated by USN Journal, Prefetch, Event Log, and user activity artifact sources — document the corroboration for every critical timeline event.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You've built the foundations of artifact-level forensic analysis.

WF0 gave you the taxonomy, NTFS architecture, and the five-step methodology. WF1 took you inside the MFT at the binary level — every attribute, every timestamp, every edge case. From here, every artifact category gets the same raw-first treatment.

  • WF2–WF10: every major Windows artifact decoded at binary level — USN Journal, Prefetch, Amcache, Shimcache, ShellBags, LNK, Jump Lists, SRUM, Event Logs, and the Registry hives
  • INC-NE-2026-0915 (WF13) — Insider data exfiltration capstone. Work the complete investigation from USB history to OneDrive exfiltration evidence
  • INC-NE-2026-1022 (WF14) — Ransomware capstone. Three-host triage (FIN01 → IT03 → FS01) across the 72-hour attack chain
  • The lab pack — 25+ realistic evidence files in 10 formats, simulated KAPE triage pre-populated, both capstones deployable to your own VM
  • Anti-forensic detection methodology — defeat timestomping, log clearing, and Prefetch deletion with cross-artifact correlation
Unlock with Specialist — £25/mo See Full Syllabus

Cancel anytime

← Previous Next →