MFT (Binary)

Overview

Evidence: MFT Description: Dump Raw Contents of $MFT Category: NTFS Platform: Windows Short Name: mft Is Parsed: No - Raw binary MFT file Sent to Investigation Hub: Yes Collect File(s): No

Background

The Master File Table ($MFT) is the core metadata file for NTFS volumes. This evidence type collects the raw binary $MFT file itself (as opposed to the parsed CSV version).

The raw MFT file can be analyzed with specialized tools to extract more detailed information than the CSV export, including deleted file entries, file slack space, and advanced NTFS features.

Data Collected

Field

Description

Example

Type

File type

Mft

Name

File name

$MFT

SourcePath

Original path

C:$MFT

FilePath

Path in evidence

NTFSFiles/$MFT

FileSize

File size in bytes

536870912

Collection Method

This collector uses kernel driver NTFS raw access to read $MFT from each fixed NTFS drive. The raw MFT file is collected byte-for-byte.

Usage

Raw MFT files enable advanced NTFS forensics beyond CSV parsing. Investigators use this data for deleted file recovery from unallocated MFT entries, advanced timeline analysis, file slack analysis, NTFS attribute analysis, and deep forensic examination with specialized MFT parsers.

Known Limitations

Only available on NTFS volumes
Requires driver for raw disk access
Can be very large (hundreds of MB to several GB)
Requires specialized tools to parse (MFTECmd, analyzeMFT, etc.)

Notes

This is the raw binary $MFT, different from "MFT as CSV" which is the parsed version. Use tools like MFTECmd or Eric Zimmerman's tools for analysis.

PreviousLnk Files NextMFT Mirror

Last updated 48 minutes ago

Was this helpful?