Back to binalyze.com

MFT as CSV

Overview

Evidence: MFT as CSV Description: Dump MFT Entries in CSV Format Category: NTFS Platform: Windows Short Name: mftcsv Is Parsed: Yes - MFT entries are parsed into structured CSV format Sent to Investigation Hub: Yes Collect File(s): No

Background

The Master File Table (MFT) is a critical component of the NTFS file system that maintains a record of every file and directory on an NTFS volume. Each file or directory on an NTFS volume has at least one entry in the MFT, which contains metadata about the file including timestamps, attributes, size, and location information.

The MFT is located at a specific location on the NTFS volume (typically at the beginning) and acts as the central directory for the entire file system. Windows uses the MFT to quickly locate files and their attributes without having to traverse the entire disk.

Data Collected

Field
Description
Example

Index

MFT entry number

12345

Sequence

Sequence number for the MFT entry

1

Parent

Parent directory MFT index

5

ParentSequence

Parent directory sequence number

1

Base

Base MFT record index for file records

0

BaseSequence

Base record sequence number

0

USNNumber

Update Sequence Number

123456789

HasADS

Indicates if file has Alternate Data Streams

+ or empty

IsADS

Indicates if this entry is an ADS

+ or empty

ADSName

Name of the Alternate Data Stream

Zone.Identifier

ADSSize

Size of the ADS in bytes

1024

IsDirectory

Indicates if entry is a directory

+ or empty

IsDeleted

Indicates if file/directory is deleted

+ or empty

LinkCount

Number of hard links to this file

1

Size

File size in bytes

2048576

StdInfoAttr.Attributes

Standard information attributes (R=ReadOnly, H=Hidden, S=System, C=Compressed, E=Encrypted)

RHS

StdInfoAttr.Modified

Last modified timestamp from $STANDARD_INFORMATION

2023-10-15T14:30:00Z

StdInfoAttr.Accessed

Last accessed timestamp

2023-10-15T15:45:00Z

StdInfoAttr.Changed

Entry modification timestamp

2023-10-15T14:30:00Z

StdInfoAttr.Birth

File creation timestamp

2023-10-01T10:00:00Z

FileNameAttr.Attributes

File name attribute flags

RHS

FileNameAttr.Modified

Modified timestamp from $FILE_NAME attribute

2023-10-15T14:30:00Z

FileNameAttr.Accessed

Accessed timestamp from $FILE_NAME

2023-10-15T15:45:00Z

FileNameAttr.Changed

Changed timestamp from $FILE_NAME

2023-10-15T14:30:00Z

FileNameAttr.Birth

Birth timestamp from $FILE_NAME

2023-10-01T10:00:00Z

Name

File or directory name

document.docx

FullPath

Full path to the file

C:\Users\user\Documents\document.docx

Collection Method

This collector parses MFT entries directly from NTFS volumes by reading the $MFT file on each fixed NTFS drive. The data is exported to CSV format for easy analysis.

Usage

This evidence is crucial for forensic investigations as it provides a complete timeline and inventory of all files that have existed on the system. The MFT preserves information about deleted files and can reveal file system activity that isn't visible through normal file browsing. Analysts can use this information to reconstruct user actions, identify deleted files, detect data exfiltration, and establish comprehensive timelines of file activity.

Known Limitations

  • Only available on NTFS volumes

  • Requires direct disk access

  • Large MFT files may take time to parse

  • Deleted file content is not recovered (only metadata)

Notes

The MFT contains both $STANDARD_INFORMATION and $FILE_NAME attributes with timestamps. The $STANDARD_INFORMATION timestamps can be modified by users or malware, while $FILE_NAME timestamps are more difficult to alter, making them valuable for detecting timestamp manipulation.

PreviousMFT MirrorNextMap Network Drive MRU

Last updated

Was this helpful?