MFT Mirror

Overview

Evidence: MFT Mirror Description: Dump MFT Mirror as raw Category: DiskFilesystem Platform: windows Short Name: mftmir Is Parsed: No Sent to Investigation Hub: Yes Collect File(s): Yes

Background

The MFT Mirror ($MFTMIRR) is a backup copy of the first few entries of the MFT, stored in the middle of the NTFS volume. It provides redundancy for critical MFT entries and can be used to recover the MFT if it becomes corrupted. The MFT Mirror typically contains the first 4 MFT entries which describe the MFT itself and other critical system files.

Data Collected

This collector gathers structured data about mft mirror.

Collection Method

This collector uses kernel driver to read the raw $MFTMIRR file from each fixed NTFS drive.

Forensic Value

MFT Mirror can help recover corrupted MFT entries or verify MFT integrity. Investigators use this data for MFT corruption analysis, MFT recovery operations, and NTFS integrity verification.