Sign In
In this module

MFT Analysis for the Three NE Scenarios

14 hours · Module 1 · Free
Operational Objective
The previous ten subsections taught MFT analysis as a set of techniques — record structure, attributes, timestamps, data storage, indexing, sequence numbers, extraction, timeline construction, timestomping detection, and deleted file recovery. This subsection applies every technique to the three Northgate Engineering investigation scenarios that thread through the course. Each scenario presents different MFT analysis challenges: the insider threat requires identifying file copy patterns and staging directory evidence over a 6-week window; the ransomware attack requires mass file modification timeline and timestomped executable detection across a 72-hour intrusion; the access dispute requires proving or disproving file access through MFT timestamps and directory relationships. By working through these applied scenarios, you connect the binary-level knowledge from previous subsections to the investigative questions that drive real examinations — translating MFT data into findings that answer "what happened, when, and what does the evidence prove?"
Deliverable: Applied MFT analysis for each NE scenario: identification of relevant MFT evidence, extraction of key findings, timeline segments showing critical events, and documentation of what the MFT evidence proves and does not prove for each investigation.
Estimated completion: 45 minutes
MFT EVIDENCE ACROSS THREE NE INVESTIGATION SCENARIOS INC-NE-2026-0915 Insider Data Exfiltration MFT evidence targets: • Copy indicator: $SI M < $SI C on files in staging directories • File creation timeline: 6-week copying pattern (dates, volumes) • Parent directory references: which directories were used for staging • Deleted entries: files removed from staging after USB transfer • $I30 slack: evidence in cleaned staging directories Key question: What was copied, when? Legal hold — court-admissible standard INC-NE-2026-1022 Ransomware Attack MFT evidence targets: • Mass modification: $SI M timestamps in 4-minute encryption window • New executables: $SI C timestamps for attacker tools deployment • Timestomping: $SI/$FN comparison on attacker executables • Deleted tools: recovery of cleaned attack tools from freed entries • Ransom notes: $SI C timestamps confirm deployment timing Key question: Attack timeline and scope? Insurance claim + regulatory notification INC-NE-2026-1130 Unauthorized Access Dispute MFT evidence targets: • File access: $SI Accessed timestamps (limited by NtfsDisableLastAccess) • No modification: $SI M unchanged proves access without edit • Parent directory: $FN parent ref confirms file location in share • MFT limitations: MFT alone cannot prove WHO accessed the file • Requires: ShellBags, LNK, Event Logs for user attribution Key question: Did this person access it? HR legal proceeding — preponderance

Figure WF1.11 — MFT evidence targets for each NE investigation scenario. The insider threat investigation uses the copy indicator and staging directory analysis. The ransomware investigation uses mass modification timelines and timestomping detection. The access dispute uses timestamp analysis but requires corroboration from user activity artifacts (ShellBags, LNK, Event Logs) for attribution.

Scenario 1 — Insider data exfiltration (INC-NE-2026-0915)

The departing engineer at Northgate Engineering copied proprietary manufacturing specifications to USB and cloud storage over a 6-week period. MFT analysis targets the engineer's workstation (DESKTOP-NGE-ENG14) to answer three questions: what files were copied, when were they copied, and where were they staged.

Identifying copied files. The copy indicator ($SI Modified before $SI Created) identifies every file that was copied to the workstation. Filter MFTECmd output for the engineer's profile directories (C:\Users\[username]\), the Documents and Desktop folders, and any non-standard directories. Sort by Created0x10. Entries where LastModified0x10 is earlier than Created0x10 are copies. The Created0x10 timestamp is when the copy was made. The LastModified0x10 timestamp is when the file was last edited at its original location — potentially months or years ago, reflecting the file's production history.

The copy indicator analysis produces a complete list of files copied to the workstation during any time period. Filter to the 6-week investigation window to identify the relevant copies. Files copied before the investigation window may be routine work activity. Files copied during the 6-week window — particularly files from restricted network shares containing manufacturing specifications — are exfiltration candidates.

Staging directory analysis. Look for directories created during the investigation window that contain clusters of copied files. A directory named something innocuous ("Project Archive", "Backup", "Personal") that contains 50 files with copy indicators all dated within the investigation window is a staging directory. The directory's own MFT record shows its creation time (when the directory was created for staging) and the $I30 index entries show when files were added.

If the staging directory was cleaned up (files deleted after USB transfer), the deleted MFT entries may still be recoverable. If the MFT entries were reallocated, the $I30 slack in the directory's index records may still contain the filenames and timestamps of the deleted files (WF1.5).

Timeline construction. Build a chronological timeline of copy operations by sorting the copied files by Created0x10. This shows the exfiltration pattern: which files were copied first, whether the copying occurred in sessions (clusters of copies separated by hours or days), and whether the pattern accelerated as the departure date approached. The timeline may show daily copying sessions during the engineer's lunch break, weekend access, or late-night sessions — each pattern provides evidence about the intent and method.

Compliance Myth: "The MFT proves the employee exfiltrated the files because the copy timestamps match the employee's work hours"
The MFT proves files were copied. It does not prove who copied them. Timestamp correlation with work hours is circumstantial — it shows the copying happened during the employee's typical access period, but it does not exclude other users who may have had access to the workstation during those hours (remote access, shared credentials, after-hours access). To attribute the copying to the specific employee, you need: authentication events showing the employee logged into the workstation at the copy times, Prefetch data showing the application used to copy (Explorer, xcopy, robocopy), and ideally ShellBag or LNK evidence showing the employee navigated to the source directories. MFT evidence establishes what happened and when. User activity artifacts (WF4) and Event Logs (WF6) establish who did it.

Scenario 2 — Ransomware attack (INC-NE-2026-1022)

The ransomware attack at Northgate Engineering involved 72 hours of activity from initial phishing access to encryption deployment. MFT analysis targets the patient zero workstation (DESKTOP-NGE-FIN01) and the encrypted server (SRV-NGE-FS01) to establish the attack timeline, identify attacker tools, and scope the encryption damage.

Mass modification timeline. The encryption event produces a characteristic MFT pattern: thousands of files with $SI Modified timestamps within a narrow time window (the encryption duration). Filter MFTECmd output for files with LastModified0x10 within the suspected encryption window. Sort by timestamp to determine the encryption start time, the encryption speed (files per second), and the encryption scope (which directories were affected, in what order).

The nanosecond precision of FILETIME timestamps reveals the encryption sequence: which directory was encrypted first, which was encrypted last, and how the ransomware traversed the filesystem. This information helps reconstruct the ransomware's directory walking algorithm and may identify directories that were skipped (perhaps the ransomware encountered an error or was terminated before completing).

Attacker tool detection. The attacker deployed tools (the ransomware executable, lateral movement tools, credential dumping utilities) in specific directories. Filter MFTECmd output for new executables (.exe, .dll, .bat, .ps1) created during the 72-hour intrusion window. Apply the timestomping detection methodology (WF1.9) to every identified executable — attackers routinely timestomp their tools.

The $FN Created timestamps on attacker tools provide the real deployment timeline: when each tool was placed on the system, the sequence of tool deployment (reconnaissance tools first, then credential tools, then lateral movement tools, then the ransomware itself), and the time gaps between deployment stages.

Deleted tool recovery. After encryption, some attackers clean up their tools — deleting the deployment scripts, the lateral movement executables, and the credential dumping utilities. MFT analysis of freed entries in the attacker's staging directories may recover the deleted tools. The deployment batch script (if small enough to be resident) may be fully recoverable from its freed MFT entry, revealing the exact commands used to deploy the ransomware across the network.

Decision point

Your MFT analysis of the ransomware patient zero (DESKTOP-NGE-FIN01) shows 7 executables in C:\ProgramData\Updates\ with $FN Created timestamps between 02:10 and 02:17 on March 18, 2026. Of the 7 executables, 5 have timestomped $SI Created (backdated to August 2025) and 2 have $SI Created matching $FN Created (March 18, 2026 — no timestomping). All 7 executables are still present on disk (InUse = True).

For your report, do you: (A) Report all 7 as attacker tools deployed during the intrusion. (B) Report the 5 timestomped executables as confirmed attacker tools (timestomping is deliberate concealment) and investigate the 2 non-timestomped executables further — they may be legitimate applications that were in the directory before the attack, or attacker tools where the timestomping command wasn't applied.

The correct approach is B. The 5 timestomped executables are confirmed attacker tools — legitimate software does not timestomp itself. The 2 non-timestomped executables require further analysis: check their $FN Created timestamps against the intrusion window (are they from March 18?), check their file hashes against known malware databases, and examine their Prefetch entries to determine when they executed. They may be attacker tools that the attacker forgot to timestomp, or they may be pre-existing legitimate files in the ProgramData directory. Don't assume — verify.

Scenario 3 — Unauthorized access dispute (INC-NE-2026-1130)

The access dispute is the most constrained of the three scenarios from an MFT perspective. The employee claims they never accessed a restricted file share. MFT analysis alone cannot resolve this claim because MFT timestamps do not record which user performed a file operation — they record that the operation occurred. Resolving the access question requires correlating MFT evidence with user-specific artifacts: ShellBags (folder navigation), LNK files (file opening), Event Logs (authentication to the file server), and session data (logon/logoff times).

What the MFT can contribute to this investigation:

Accessed timestamp evidence (limited). On the file server (SRV-NGE-FS01), the files in the restricted share have $SI Accessed timestamps. If NtfsDisableLastAccessUpdate is not enabled on the server (servers often have this enabled by default on Windows Server 2019+), the Accessed timestamps may show when the files were last read. If the Accessed timestamp falls within the employee's authenticated session time, it is consistent with access — but not proof, because other users may have accessed the same files.

No modification evidence. If the employee only browsed the restricted share without downloading or editing files, the $SI Modified timestamp on the share's files would be unchanged. This is consistent with both "the employee accessed the files (read-only)" and "the employee never accessed the files (someone else changed the Accessed timestamp)." The MFT evidence is ambiguous for read-only access.

Parent directory metadata. The restricted folder's MFT record has $SI Entry Modified and $SI Accessed timestamps. If the folder's metadata was updated during the employee's session, it is consistent with access — but again not proof of who accessed it.

The key lesson: MFT analysis is necessary but not sufficient for the access dispute. It establishes the temporal framework (when files and directories were last accessed or modified) that other artifact sources corroborate with user-specific evidence. The ShellBag analysis (WF4) on the employee's workstation provides the user-specific folder navigation evidence that the MFT cannot.

Try it: Applied MFT analysis for one NE scenario

Choose one of the three NE scenarios and perform focused MFT analysis on the lab evidence:

If you choose INC-NE-2026-0915 (insider): 1. Filter MFTECmd output for the engineer's profile directories. 2. Identify all files with the copy indicator ($SI Modified before $SI Created). 3. Filter to the 6-week investigation window. 4. Identify staging directories (clusters of copied files). 5. Check for deleted entries in staging directories. 6. Build a daily timeline of copy activity.

If you choose INC-NE-2026-1022 (ransomware): 1. Filter for new executables in temporary/staging directories. 2. Apply timestomping detection to all identified executables. 3. Determine real deployment timestamps from $FN Created. 4. Identify the encryption window from mass $SI Modified timestamps. 5. Check for deleted tools in the attacker's staging directories. 6. Build the attack phase timeline (deployment → lateral movement → encryption).

If you choose INC-NE-2026-1130 (access dispute): 1. Examine the restricted folder's MFT timestamps on the file server. 2. Note the $SI Accessed timestamps on files in the restricted share. 3. Document what the MFT evidence shows and does not show. 4. List the artifact sources needed to corroborate or refute the access claim.

Produce a one-page summary of your MFT findings for the chosen scenario, including: evidence identified, timeline of key events, what the evidence proves, and what additional artifact sources are needed.

During the insider threat investigation (INC-NE-2026-0915), your MFT analysis shows 147 files were copied to a directory called "Project_Backup" over a 6-week period. The copy indicator is present on all 147 files. The directory was deleted 2 days before the employee's last day. The MFT entry for the directory is still free (not reallocated). The directory's $INDEX_ALLOCATION attribute shows 3 index records. What is your next analysis step?
Report the 147 copied files as the exfiltration set. The copy indicators and the directory deletion before the last day are sufficient evidence of intent.
Parse the $I30 slack in the directory's $INDEX_ALLOCATION records. The directory was deleted, which removed the active index entries, but the 3 index records may contain extensive slack space with entries from all 147 files. Recovering filenames and timestamps from $I30 slack provides a second independent source corroborating the MFT entry analysis. If any of the 147 files' MFT entries have been reallocated (destroying their metadata), the $I30 slack evidence preserves their filenames and timestamps. Additionally, check the Recycle Bin for $I files corresponding to the deleted directory — the $I file contains the original path and deletion timestamp, establishing when the cleanup occurred.
Examine the 147 files' data clusters to recover their content. The file content is needed to prove the files contained manufacturing specifications.
Check the USN Journal for the 147 copy operations. The USN Journal provides independent timestamps for each copy that can be compared against the MFT timestamps.
Operational Artifact — Scenario-Specific MFT Analysis Guide
This subsection applies every MFT analysis technique from WF1.1–WF1.10 to the three NE investigation scenarios. The patterns demonstrated here — copy indicator analysis for insider threats, mass modification timelines and timestomping detection for ransomware, and the limitations of MFT evidence for access disputes — are directly transferable to real investigations. When starting an MFT analysis on a new case, identify which scenario pattern best matches your investigation and apply the corresponding technique set. Document your MFT findings as one section of the broader forensic analysis — MFT evidence is strongest when corroborated with USN Journal (WF2), execution evidence (WF3), user activity artifacts (WF4), and Event Logs (WF6).
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You've built the foundations of artifact-level forensic analysis.

WF0 gave you the taxonomy, NTFS architecture, and the five-step methodology. WF1 took you inside the MFT at the binary level — every attribute, every timestamp, every edge case. From here, every artifact category gets the same raw-first treatment.

  • WF2–WF10: every major Windows artifact decoded at binary level — USN Journal, Prefetch, Amcache, Shimcache, ShellBags, LNK, Jump Lists, SRUM, Event Logs, and the Registry hives
  • INC-NE-2026-0915 (WF13) — Insider data exfiltration capstone. Work the complete investigation from USB history to OneDrive exfiltration evidence
  • INC-NE-2026-1022 (WF14) — Ransomware capstone. Three-host triage (FIN01 → IT03 → FS01) across the 72-hour attack chain
  • The lab pack — 25+ realistic evidence files in 10 formats, simulated KAPE triage pre-populated, both capstones deployable to your own VM
  • Anti-forensic detection methodology — defeat timestomping, log clearing, and Prefetch deletion with cross-artifact correlation
Unlock with Specialist — £25/mo See Full Syllabus

Cancel anytime

← Previous Next →