# MFT Mirror

## Overview

**Evidence:** MFT Mirror\
**Description:** Dump MFT Mirror as raw\
**Category:** DiskFilesystem\
**Platform:** windows\
**Short Name:** mftmir\
**Is Parsed:** No\
**Sent to Investigation Hub:** Yes\
**Collect File(s):** Yes

## Background

The MFT Mirror ($MFTMIRR) is a backup copy of the first few entries of the MFT, stored in the middle of the NTFS volume. It provides redundancy for critical MFT entries and can be used to recover the MFT if it becomes corrupted. The MFT Mirror typically contains the first 4 MFT entries which describe the MFT itself and other critical system files.

## Data Collected

This collector gathers structured data about mft mirror.

## Collection Method

This collector uses kernel driver to read the raw $MFTMIRR file from each fixed NTFS drive.

## Forensic Value

MFT Mirror can help recover corrupted MFT entries or verify MFT integrity. Investigators use this data for MFT corruption analysis, MFT recovery operations, and NTFS integrity verification.