Module Summary

Module Summary — The Master File Table

This module took you inside the most important forensic artifact in Windows — the Master File Table — at a depth that most training never reaches. You can now read a raw MFT record in a hex editor, walk the attribute chain, parse timestamps from FILETIME encoding, and verify parser output against the binary data. This is the foundational skill for everything that follows in this course.

What you built

Binary reading skills. You know the MFT record header field by field: the "FILE" signature at offset 0x00, the fixup array that verifies record integrity, the sequence number that tracks allocation cycles, the flags that distinguish active files from deleted entries, and the first attribute offset that enters the attribute chain. You can walk the chain by reading type codes and length fields until the 0xFFFFFFFF end marker.

Attribute mastery. You understand the three critical attributes: $STANDARD_INFORMATION (the four $SI timestamps that tools report and attackers modify), $FILE_NAME (the four $FN timestamps set by the kernel that attackers rarely touch), and $DATA (resident content embedded in the record vs non-resident content stored in clusters). You understand directory indexing through $INDEX_ROOT and $INDEX_ALLOCATION, and you know that deleted files leave traces in $I30 slack.

Timestomping detection. You have a structured three-method detection methodology: $SI/$FN comparison for temporal inversions (high confidence), nanosecond precision analysis for screening (moderate confidence), and USN Journal correlation for definitive confirmation (very high confidence). You can classify findings as confirmed, probable, or possible, and you know the false positive risks for each method.

Deleted file recovery. You can assess recovery probability based on MFT entry status, data residency (resident vs non-resident), storage type (HDD vs SSD), and cluster allocation status. You can extract resident file content directly from freed MFT entries — a recovery method that works regardless of SSD TRIM because the MFT is not subject to cluster-level trimming.

Timeline construction. You can build a forensic filesystem timeline from MFT data, identify file operations (creation, modification, copy, move, rename) from their characteristic timestamp patterns, and use the copy indicator ($SI Modified before $SI Created) to identify every copied file on a volume.

Applied analysis. You applied these techniques to three Northgate Engineering scenarios: identifying staged exfiltration files through copy indicators (insider threat), reconstructing the encryption timeline and detecting timestomped attacker tools (ransomware), and understanding the MFT's limitations for access attribution (access dispute).

What comes next

The MFT provides the filesystem skeleton — file existence, timestamps, directory relationships, and data locations. The next modules add the flesh:

WF2 — USN Journal adds the filesystem changelog: every file operation (create, modify, rename, delete) recorded with independent timestamps. The USN Journal completes the timestomping detection methodology (Method 3) and provides deletion timestamps that the MFT alone cannot.

WF3 — Prefetch, Amcache, and Shimcache add program execution evidence: proof that specific executables ran, when they ran, how many times they ran, and which files they loaded. This converts MFT file existence evidence into execution evidence.

WF4 — ShellBags, LNK Files, and Jump Lists add user activity evidence: proof that a specific user navigated to specific directories and opened specific files. This provides the user attribution that MFT timestamps alone cannot.

The MFT tells you what files exist and when they were created or modified. The USN Journal tells you the complete history of operations on those files. Execution artifacts tell you which programs ran. User activity artifacts tell you who interacted with the files. Together, they produce the complete forensic picture.

Key references from this module

• MFT record header fields (WF1.1): signature, fixup, sequence number, flags, first attribute offset
• $SI timestamp offsets (WF1.2): Created 0x00, Modified 0x08, Entry Modified 0x10, Accessed 0x18
• $FN forensic reliability (WF1.3): kernel-set timestamps, not modifiable via user-mode API
• Resident data threshold (WF1.4): approximately 700 bytes, content survives deletion in MFT
• $I30 slack (WF1.5): deleted file evidence in directory index records
• Sequence number verification (WF1.6): entry number + sequence = unique file reference
• MFTECmd workflow (WF1.7): collect → verify → parse → analyze → validate
• Copy indicator (WF1.8): $SI Modified before $SI Created = file was copied
• Timestomping detection (WF1.9): three methods, classification system, reporting template
• Recovery assessment (WF1.10): resident = high, non-resident HDD = moderate, non-resident SSD = low