Master File Table NTFS Master File Table $MFT $BOOT File - Location and attributes for all files on partition Master File Table Content - Including other metafiles System $MFT Attributes - Each FILE record is usually 1024 bytes Forensics - MFT Header - first 42 bytes - Attributes - remaining bytes - Each attribute has - a header (16 bytes) $MFTMirr Digital Forensics Center location and size of content ( or bytes) THINK BIG WE DO - 8 56

Department of Computer Science and Statics NTFS Partition - and content (size varies) - details of attribute Content Data

MFT Unused AttrAttribute AttributeAttr AttributeAttr Attr Attribute U R I Header Content MFT File Record Content Space Header Header Siz Header Siz Header Loc/ Loc/ Loc/Siz http://www.forensics.cs.uri.edu Loc/Siz

MFT File Attributes MFT File Attributes

Hex Dec Attribute Description Hex Dec Attribute Description 0x60 96 $VOLUME_NAME Used in $VOLUME metafile. Volume label 0x10 16 $STANDARD_INFORMATION Timestamps, link counts, file type flags, owner 0x70 112 $VOLUME_INFORMATION Used in $VOLUME metafile. NTFS version & dirty flag Lists the location of all attribute records that do 0x20 32 $ATTRIBUTE_LIST not fit in this MFT record 0x90 144 $INDEX_ROOT INDX Record - used to implement folders and indexes

0x30 48 $FILE_NAME File name (repeatable) 0xA0 160 $INDEX_ALLOCATION INDX Record - used to implement folders and indexes 0xB0 176 $BITMAP Directory content mapping 0x40 60 $OBJECT_ID Unique Identifier for the file (not common) 0xC0 192 $REPARSE_POINT Used for volume mount points and shortcuts 0x50 80 $SECURITY_DESCRIPTOR Who owns the file and who can access it 0xD0 208 $EA_INFORMATION OS/2 compatibility extended attributes

0x80 128 $DATA Contains file data (repeatable) 0xE0 224 $EA OS/2 compatibility extended attributes 0x100 256 $EFS Logged utility data stream (used for EFS/encryption)

MFT Unused MFT Unused AttrAttribute AttributeAttr AttributeAttr Attr Attribute AttrAttribute AttributeAttr AttributeAttr Attr Attribute Header Content MFT File Record Content Space Header Content MFT File Record Content Space Header Header Siz Header Siz Header Header Header Siz Header Siz Header Loc/ Loc/ Loc/ Loc/ Loc/Siz Loc/Siz Loc/Siz Loc/Siz

NTFS Attribute Header

$STANDARD_INFORMATION 00 Content is Resident AlternateAttributeAttribute Data Flags StreamID Name Hex Dec Bytes Description 01 Content is Non-Resident Size0x0001 (Counter)Length Compressed and Offset 0x00 0 4 Attribute Type Identifier 0x4000 Encrypted 0x04 4 4 Length of Attribute (includes header) 0x8000 Sparse 0x08 8 1 Non-Resident Flag 0x09 9 1 Length of Name (only for ADS) 0x0A 10 2 Offset to Name (only for ADS) 0x0C 12 2 Flags(Compressed, Encrypted, Sparse) 0x1E 14 2 Attribute Identifier

MFT Unused AttrAttribute AttributeAttr AttributeAttr Attr Attribute Header Content MFT File Record Content Space Header Header Siz Header Siz

Loc/ Loc/ Header Loc/Siz Loc/Siz NTFS Attribute Header

Hex Dec Bytes Description 0x00 0 4 Attribute Type Identifier 0x04 4 4 Length of Attribute (includes header) 0x08 8 1 Non-Resident Flag 0x09 9 1 Length of Name (only for ADS) 0x0A 10 2 Offset to Name (only for ADS) 0x0C 12 2 Flags(Compressed, Encrypted, Sparse) 0x1E 14 2 Attribute Identifier

MFT Unused AttrAttribute AttributeAttr AttributeAttr Attribute Header Content MFT File RecordAttr Content Space Header Header Siz Header Siz

Loc/ Loc/ Header Loc/Siz Loc/Siz

Attribute Location & Size $STANDARD_ATTRIBUTE (0x10)

Hex Dec Bytes Description Hex Description Resident Attribute 0x00 0 8 Creation Data and Time (UTC) 0x0001 Read Only 0x0002 Hidden 0x08 8 8 Last Modified Date and Time (UTC) Hex Dec Bytes Description 0x0004 System File 0x10 16 8 $MFT Modified Date and Time (UTC) 0x10 16 4 Length of Attribute Content 0x0020 Archive 0x18 24 8 Last Accessed Date and Time (UTC) 0x14 20 2 Offset to Attribute Content 0x0040 Device File 0x20 32 4 Flags 0x0100 Temporary File 0x16 22 1 Indexed 0x24 36 4 Maximum Number of Versions 0x0200 Sparse 0x17 23 1 Padding 0x28 40 4 Version Number 0x0400 Reparse Point 0x2C 44 4 Class ID 0x0800 Compressed 0x30 48 4 Owner ID 0x1000 Offline 0x34 52 4 Security ID 0x2000 Not Indexed 0x38 56 4 Quota Charged 0x4000 Encrypted 0x40 64 8 Update Sequence Number 0x8000 Virtual

MFT Unused MFT Unused AttrAttribute AttributeAttr AttributeAttr Attr Attribute AttrAttribute AttributeAttr AttributeAttr Attr Attribute Header Content MFT File Record Content Space Header Content MFT File Record Content Space Header Header Siz Header Siz Header Header Header Siz Header Siz Header Loc/ Loc/ Loc/ Loc/ Loc/Siz Loc/Siz Loc/Siz Loc/Siz

$STANDARD_ATTRIBUTE (0x10)

Hex Dec Bytes Description Hex Description 0x00 0 8 Creation Data and Time (UTC) 0x0001 Read Only 0x0002 Hidden Hex Description 0x08 8 8 Last Modified Date and Time (UTC) 0x0001 Read Only 0x0004 System File 0x10 16 8 $MFT Modified Date and Time (UTC) 0x0002 Hidden 0x0020 Archive 0x18 24 8 Last Accessed Date and Time (UTC) 0x0004 System File 0x0040 Device File 0x20 32 4 Flags 0x0020 Archive 0x0100 Temporary File 0x0040 Device File 0x24 36 4 Maximum Number of Versions 0x0200 Sparse 0x0100 Temporary File 0x28 40 4 Version Number 0x0400 Reparse Point 0x0200 Sparse 0x2C 44 4 Class ID 0x0800 Compressed 0x0400 Reparse Point 0x30 48 4 Owner ID 0x1000 Offline 0x0800 Compressed 0x34 52 4 Security ID 0x2000 Not Indexed 0x1000 Offline 0x38 56 4 Quota Charged 0x4000 Encrypted 0x2000 Not Indexed 0x40 64 8 Update Sequence Number 0x8000 Virtual 0x4000 Encrypted 0x8000 Virtual MFT Unused AttrAttribute AttributeAttr AttributeAttr Attr Attribute Header Content MFT File Record Content Space Header Header Siz Header Siz Header Loc/ Loc/ Loc/Siz Loc/Siz $FILE_NAME (0x30)

Hex Dec Bytes Description Hex Description 0x00 0 6 $MFT Record Number of Parent Directory 0x0001 Read Only 0x06 6 2 Sequence Number of the Parent Directory 0x0002 Hidden 0x08 8 8 Creation Data and Time (UTC) 0x0004 System File 0x0020 Archive 0x10 16 8 Last Modified Date and Time (UTC) 0x0040 Device File 0x18 24 8 $MFT Modified Date and Time (UTC) 0x0100 Temporary File 0x20 32 8 Last Accessed Date and Time (UTC) 0x0200 Sparse 0x28 40 8 Allocated Size of the Index MainQueueOnline1.queMAINQU~2.QUE 0x0400 Reparse Point 0x30 48 8 Actual Size of the Index 0x0800 Compressed 0x38 56 4 Flags 0x1000 Offline 0x3C 60 4 Reparse Value 0x2000 Not Indexed 0x40 64 1 Filename Length in Characters 0x4000 Encrypted 0x41 65 1 Filename Namespace (0=POSIX 1=Win32 2=DOS) 0x8000 Virtual

MFT Unused AttrAttribute AttributeAttr AttributeAttr Attr Attribute Header Content MFT File Record Content Space Header Header Siz Header Siz Header Loc/ Loc/ Loc/Siz Loc/Siz

$FILE_NAME (0x30)

Hex Dec Bytes Description Hex Description 0x00 0 6 $MFT Record Number of Parent Directory 0x0001 Read Only NTFS 0x06 6 2 Sequence Number of the Parent Directory 0x0002 Hidden 0x08 8 8 Creation Data and Time (UTC) 0x0004 System File Master File Table 0x0020 Archive 0x10 16 8 Last Modified Date and Time (UTC) 0x0040 Device File 0x18 24 8 $MFT Modified Date and Time (UTC) 0x0100 Temporary File 0x20 32 8 Last Accessed Date and Time (UTC) Attributes 0x0200 Sparse 0x28 40 8 Allocated Size of the Index 0x0400 Reparse Point 0x30 48 8 Actual Size of the Index 0x0800 Compressed 0x38 56 4 Flags 0x1000 Offline 0x3C 60 4 Reparse Value 0x2000 Not Indexed Digital Forensics Center 0x40 64 1 Filename Length in Characters 0x4000 Encrypted Department of Computer Science and Statics THINK BIG WE DO 0x41 65 1 Filename Namespace 0x8000 Virtual

MFT Unused AttrAttribute AttributeAttr AttributeAttr Attr Attribute Header Content MFT File Record Content Space U R I Header Header Siz Header Siz Header Loc/ Loc/ Loc/Siz Loc/Siz http://www.forensics.cs.uri.edu