MFT Mirror

Overview

Evidence: MFT Mirror Description: Dump MFT Mirror as Raw Category: NTFS Platform: Windows Short Name: mftmir Is Parsed: No - Raw binary file Sent to Investigation Hub: Yes Collect File(s): No

Background

The MFT Mirror ($MFTMIRR) is a backup copy of the first few entries of the MFT, stored in the middle of the NTFS volume. It provides redundancy for critical MFT entries and can be used to recover the MFT if it becomes corrupted.

The MFT Mirror typically contains the first 4 MFT entries which describe the MFT itself and other critical system files.

Data Collected

Field

Description

Example

Type

File type

MftMirror

Name

File name

$MFTMIRR

SourcePath

Original path

C:$MFTMIRR

FilePath

Path in evidence

NTFSFiles/$MFTMIRR

FileSize

File size in bytes

4096

Collection Method

This collector uses kernel driver to read the raw $MFTMIRR file from each fixed NTFS drive.

Usage

MFT Mirror can help recover corrupted MFT entries or verify MFT integrity. Investigators use this data for MFT corruption analysis, MFT recovery operations, and NTFS integrity verification.

Known Limitations

Only available on NTFS volumes
Requires driver for raw access
Very small file (typically 4KB)
Limited to first few MFT entries

Notes

$MFTMIRR is primarily used for NTFS recovery scenarios. In forensics, it's mainly useful for verifying MFT integrity or recovering from MFT corruption.

PreviousMFT (Binary)NextMFT as CSV

Last updated 47 minutes ago

Was this helpful?