MFT

Overview

Evidence: MFT Description: Dump raw contents of $MFT Category: DiskFilesystem Platform: windows Short Name: mft Is Parsed: No Sent to Investigation Hub: Yes Collect File(s): Yes

Background

The Master File Table ($MFT) is the core metadata file for NTFS volumes. This evidence type collects the raw binary $MFT file itself (as opposed to the parsed CSV version). The raw MFT file can be analyzed with specialized tools to extract more detailed information than the CSV export, including deleted file entries, file slack space, and advanced NTFS features.

Data Collected

This collector gathers structured data about mft.

Collection Method

This collector uses kernel driver NTFS raw access to read $MFT from each fixed NTFS drive. The raw MFT file is collected byte-for-byte.

Forensic Value

Raw MFT files enable advanced NTFS forensics beyond CSV parsing. Investigators use this data for deleted file recovery from unallocated MFT entries, advanced timeline analysis, file slack analysis, NTFS attribute analysis, and deep forensic examination with specialized MFT parsers.