MFT as CSV

Overview

Evidence: MFT as CSV Description: Dump MFT entries in CSV format Category: DiskFilesystem Platform: windows Short Name: mftcsv Is Parsed: Yes Sent to Investigation Hub: Yes Collect File(s): Yes

Background

The Master File Table (MFT) is a critical component of the NTFS file system that maintains a record of every file and directory on an NTFS volume. Each file or directory on an NTFS volume has at least one entry in the MFT, which contains metadata about the file including timestamps, attributes, size, and location information. The MFT is located at a specific location on the NTFS volume (typically at the beginning) and acts as the central directory for the entire file system. Windows uses the MFT to quickly locate files and their attributes without having to traverse the entire disk.

Data Collected

This collector gathers structured data about mft as csv.

Collection Method

This collector parses MFT entries directly from NTFS volumes by reading the $MFT file on each fixed NTFS drive. The data is exported to CSV format for easy analysis.

Forensic Value

This evidence is crucial for forensic investigations as it provides a complete timeline and inventory of all files that have existed on the system. The MFT preserves information about deleted files and can reveal file system activity that isn't visible through normal file browsing. Analysts can use this information to reconstruct user actions, identify deleted files, detect data exfiltration, and establish comprehensive timelines of file activity.