legal contact rss
 

The Master File Table (MFT)

While having had a recent unauthorized file access on a windows system, I had to learn a bit about the Windows file and data structure.

Taking below data into account, it's easy to find the information if looking at the fields:

Filename #1

Std Info Modification date

Std Info Access date

One might ask why not extending the display attributes in the windows explorer and get the same information?

True! This would in fact give the same information, BUT you would taint the first rule in forensic "not to change any information by your examination". This method still gives you that chance to look at the data and not change any timestamps.  :-)

 


To acquire a $MFT copy, I used the "Forensic Get" from HBGary that can be downloaded here.

C:\>FGET.exe -extract c:\$Mft c:\Victims_Mft.bin
-= FGET v1.0 - Forensic Data Acquisition Utility - (c)HBGary, Inc 2010 =-
[+] Extracting File From Volume ...SUCCESS!

 

To dig into your $MFT table download the MFT Analayzer here.

analyzeMFT-V1-7-x86.exe -f C:\myMFT.bin -o MFTExport.csv

Will create you a csv file from your MFT-copy, to be used with excel.

Record type Filename #1 Std Info Creation Date Std Info Modification date Std Info Entry date Std Info Entry date
Folder /Users/Admin/AppData/Local/Microsoft/Windows/History 2012-03-29 16:44:24.849714 2012-03-29 16:45:23.490219 2012-03-29 16:45:23.490219 2012-03-29 16:45:23.490219
File /Users/Admin/AppData/Local/Microsoft/Windows/History/test.file 2015-07-06 19:12:31.253366 2015-07-06 19:12:31.253366 2015-07-06 19:12:31.253366 2015-07-06 19:12:31.253366