The $MFT, or Master File Table, plays a crucial role in the NTFS (New
Technology File System) utilized by Windows operating systems. Essentially acting as a master index for all files
and directories on an NTFS volume, understanding the nuances of the $MFT file is vital for various professionals,
including forensic investigators, system administrators, and security experts. In this blog post, we'll thoroughly
explore the $MFT file, examining its structure, functions, and its applications in both normal and potentially
malicious scenarios. Additionally, we'll touch upon tools such as MFTECmd.exe by Eric Zimmerman and MACTIME in
Linux, highlighting how these tools can be utilized in forensic analysis to parse the $MFT.
Understanding the $MFT File
The Master File Table is a system file that resides at the heart of NTFS volumes. It contains records for every
file and directory on the volume, providing a hierarchical structure and metadata for each entry. The $MFT file is
divided into fixed-size entries, each representing a file or directory. These entries include information such as
file name, timestamps, permissions, and pointers to the actual data clusters on the disk.
$MFT File Size and Structure
The size of the $MFT file can vary based on factors such as the size of the volume and the number of files
and directories it contains. Generally, the $MFT starts small but expands as more files and directories are
created on the NTFS volume. The $MFT file is organized into fixed-size entries, typically 1024 bytes each, and
it grows in increments known as MFT records. Understanding the size and structure of the $MFT is crucial for
forensic investigators seeking to extract meaningful information from this integral component of the NTFS file
system. As of this article, a typical size for a $MFT that is on a regularly used computer tends to be around
250MB to 350MB. The Windows 11 computer I use as an example, is comically huge at a size of 1GB!!!
Relevant Information within $MFT on NTFS
The $MFT on NTFS contains a wealth of information essential for file system operations and forensic analysis.
Each MFT entry holds metadata such as timestamps (creation, modification, and access), file attributes, security
descriptors, and pointers to the actual data clusters on the disk. This rich set of data allows investigators to
reconstruct timelines, understand file interactions, and delve into the details of file permissions and
attributes, providing a comprehensive view of file system activities.
MFT Zone: A Critical Region
The MFT Zone is a dedicated region on the NTFS volume reserved for the initial placement of $MFT records.
This area ensures that the $MFT file remains contiguous, optimizing performance by reducing fragmentation.
Forensic analysts often focus on the MFT Zone during investigations, as it can provide valuable insights into
the recent file system activities. Analyzing this critical region allows investigators to identify patterns and
anomalies, aiding in the detection of suspicious activities.
Where to Find the $MFT File
Locating the $MFT file is a fundamental step in forensic analysis. In Windows systems, the $MFT is typically
found in the root directory of each NTFS volume and is a super hidden system file. The absolute path to the $MFT
on the C: drive, and should look like "C:\$MFT". Forensic investigators often create disk images to preserve the
state of the file system, and tools like MFTECmd.exe can be employed to parse these images for analysis.
At a deep level, you can find the $MFT file sitting on Logical Sector 1 (Which is the second one after the boot
sector) of the each of the NTFS Volume. To help demonstrate this, see below for how to put it together, find it
manually using FTKImager and HXD.
1. Even with Super Hidden Files Enabled in Windows
11, the MFT cannot be seen. Using FTKImager or other tools can help you find and or extract the file.
Carving Out the $MFT File: From Start to End
Carving out the $MFT file involves extracting its content from a disk image or live file system for further
analysis. Forensic tools and techniques are employed to carve out the $MFT, starting from its initial location on
the disk. Analysts can use specialized tools like dd (disk dump) or forensic suites to create a copy of the $MFT
file. This process involves identifying the signature of the $MFT and extracting its content byte by byte,
ensuring the integrity of the data for subsequent forensic analysis. Carving out the $MFT file is a critical step
in unraveling the mysteries it holds, allowing investigators to meticulously examine each entry for insights into
file system activities.
2. This part is more detailed than you really need and
will be it's own post, but I'll add this version here.
- In the screenshot below, you can see PHYSICALDRIVE1, in Sector 1 of the drive we have the EFI part section.
This is the Partition manager, for the GPT and tracks where all the partitions are on disk.
- These are partitions start being listed on at offset 400 or 1024 bytes. Each Partition header is 128 Bytes
long (0x80).
3. The break down of how these are built
will be on a new page once I create one, and I will replace this text when it's ready to be linked.
- If we do the math by looking at the Offset for the first partition, it brings us to the below image. You can
see in the image that I havn't clicked a partition yet and scrolled down / searched for it. The first and
typically the mostly likely area for the first partition is to be at sector 2,048 (0x800).
- The following partitions start and end at Hex:
- Partition 1:
- Start: 0x0800
- End: 0x827FF
- Partition 2: (feel free to try this on the other partitions if you want)
- Start: 0x082800
- End: 0x08A7FF
- Size: 16,776,704 Bytes (16.7 MB)
- ( End Sector Minus Start Sector = Sector Size * 512 for Total Size)
- 576,295 Minus 534,528 = 41,767
- 41,767 * 512 bytes = 16,776,704
- Partition 3:
- Start: 0x08A800
- End: 0x38BB528E
- Partition 4:
- Start: 0x38BB5800
- End: 0x38D7C7FF
- Partition 5:
- Start: 0x38D7D000
- End: 0x3B97CFFF
For now you can click on the appropriate partion
in FTKimager to logically navigate to where you want to go.
4. Where we want to go is to one of the NTFS partitions. You might notice that in my example, the largest one
which is C: Drive is encrypted. This may dampen your style, depending on your scenarios.
- What can be seen by looking at this partition is the encrypted value showing eX FVE-FS which is a nice
way to say BitLocker Encrypted.
- Because I am using the drive, it can be seen unencrypted.
- You will have to mount Encrypted ones separately or use an unencrypted partition for your testing.
5. Here you can see Partition 4 is not encrypted and allows me to go to the MFT. (FILE0)
- Each MFT Entry starts with FILE0 and the $MFT will always be the very first entry.
- Starting at Logical Sector 10 (0x2000) of the partition, not the disk.
- You can see from the image the physical sector is actually 0x38bb5810 (or Sector 951,801,872
- If you look back at the Start and End Partition in step 3 you can see that the Partition Starts
at 0x38BB5800, which is hex 10 or 16 sectors in difference. Everything appears to line up, which is
nice.
Looking at a more Expanded view with 128 Bytes across. You can see in the image below that each line consist of a
total length of x0400 (1024 Bytes) which is the maximum amount of space each entry gets before witting the file
specifically to disk. See Resident files for more information on that.
- In this image we can see the common files that are first written such as:
- $MFT
- $MFTMirr
- $LogFile
- $AttrDer
- $I30
- $Bitmap
- The $MFT does grow in size as needed. In this scenario while looking at a smaller one, the file is as small as
seen in the bottom of the file.
- Hex Value 0x 03FF80 (+0x80 / 128 Bytes)
- DEC: 262,016 bytes in length
- Add 128 if you actually plan to calculate from the given number since there are still 128 Bits tailing.
(262,144)
Structure of $MFT Entries
Each $MFT entry has a standardized structure, comprising various attributes that store specific information about
the file or directory. Common attributes include:
1. Standard Information (SI):
- Description: The Standard Information attribute is an integral part of the
$MFT entry, containing essential metadata about the associated file or directory. This metadata includes
information such as timestamps and file attributes.
- Timestamps:
- Creation Timestamp: Indicates the date and time when the file or
directory was created.
- Modification Timestamp: Reflects the last time the file's content or
attributes were modified.
- Access Timestamp: Represents the most recent time the file or
directory was accessed.
- File Attributes:
- Read-Only: Indicates whether the file is read-only or can be modified.
- Hidden: Determines whether the file is visible or hidden in the file system.
- System: Marks the file as a system file, crucial for the functioning of the operating system.
- Archive: Flags the file as requiring archiving; typically used by backup software.
2. File Name (FN):
- Description: The File Name attribute is responsible for storing the name of
the file or directory associated with the $MFT entry.
- Unicode Character Encoding:
- UTF-16: The file name is stored in Unicode format (UTF-16), allowing for
the representation of a wide range of characters from different languages.
- Naming Conventions:
- Long File Names: Supports long file names, allowing for more descriptive
and human-readable file and directory names.
- Short File Names (8.3): Accommodates the traditional 8.3 naming convention
for compatibility with older systems.
- Directory Structure:
- Full Path: In the case of directories, the File Name attribute can store
the full path, indicating the location of the directory within the file system.
3. Data (D):
- Description: The Data attribute points to the actual data clusters on the
disk where the content of the file is stored. It plays a pivotal role in linking the $MFT entry to the physical
location of the file's data.
- Cluster Allocation:
- Cluster Pointers: The Data attribute contains pointers to clusters
on the disk, indicating the storage locations of the file's data. These clusters may be non-contiguous due to
fragmentation.
- File Size:
- Size Information: The Data attribute also stores information about
the size of the file, allowing the operating system to allocate the appropriate amount of disk space for the
file's content.
4. Object ID (OID):
- Description: The Object ID attribute provides a unique identifier for the
file or directory. This identifier is generated when the file or directory is created and remains constant
throughout its lifetime.
- Uniqueness:
- Globally Unique Identifier (GUID): The Object ID is a GUID, ensuring
a high degree of uniqueness across different files and directories on the system.
- Use Cases:
- File Tracking: The Object ID is often used for tracking files and
directories, especially in scenarios where file names may change.
5. Security Descriptor (SD):
- Description: The Security Descriptor attribute contains information about
access control and permissions for the associated file or directory.
- Access Control List (ACL):
- Discretionary ACL (DACL): Specifies the discretionary access control list,
determining who can access the file and what level of access is granted.
- System ACL (SACL): Specifies the system access control list, governing
auditing and security monitoring settings.
- Owner and Group Information:
- Owner SID: Identifies the security identifier (SID) of the user or group
that owns the file.
- Group SID: Identifies the security identifier (SID) of the group
associated with the file.
- Permission Settings:
- Read, Write, Execute Permissions: Defines the permissions granted to users
or groups, specifying whether they can read, write, or execute the file.
Residual MFT Files and Concealed Operations
In some cases, small residual MFT files may remain even after a file is deleted. These residual files, often
referred to as "slack space," can be small enough to escape immediate attention but still contain traces of the
deleted file. Malicious actors may exploit this aspect by intentionally creating small files or manipulating
existing ones to hide information within the MFT. This covert approach allows them to conceal files, making it
challenging for standard file system analysis tools to detect their presence.
In the example below, you can see that I created a File which takes up no space on the disk since it is already
taking up 1,024 bytes in the MFT and all data can fit within that 1,024 byte space. This has to include the stats and
such as well. So your available writing space is less than 1,024 bytes.
MFT Record Deletion: What Happens?
When a file is deleted in the NTFS file system,
the corresponding MFT record is not immediately wiped. Instead, it is marked as "unused," and the space it occupies
becomes available for reuse. This process is part of NTFS's optimization strategy to avoid frequent expansion and
contraction of the $MFT file. Forensic investigators can leverage this characteristic to recover deleted files by
searching for unused MFT records that might still contain residual data from the deleted file.
Normal Use Case: How $MFT Facilitates File System Operations
In a typical, non-malicious scenario, the $MFT file plays a crucial role in facilitating file system operations.
When a user creates, modifies, or deletes a file, the corresponding changes are reflected in the $MFT entries. For
instance, if a user creates a new document, the $MFT entry for that file is updated with the relevant metadata,
including the creation timestamp and file attributes. This seamless interaction with the $MFT ensures that the file
system maintains accurate records and efficiently organizes data.
Malicious Use Case: Exploiting $MFT for Stealthy Activities
Unfortunately, the same features that make $MFT essential for normal file system operations can also be exploited
for malicious purposes. Malware and attackers may manipulate $MFT entries to hide files, conceal their activities,
or evade detection. For example, attackers may alter timestamps within the $MFT to mislead investigators about the
timing of file creation or modification. They could also create hidden entries within the $MFT to store malicious
payloads or sensitive information, flying under the radar of traditional file system analysis.
Forensic Analysis: Parsing $MFT with MFTECmd.exe and
MACTIME
To unravel the mysteries hidden within the $MFT file, forensic investigators
rely on specialized tools for parsing and analyzing its contents. One such tool is MFTECmd.exe, developed by digital
forensics expert Eric Zimmerman. This command-line utility allows investigators to extract and analyze information
from $MFT entries efficiently.
Using MFTECmd.exe
MFTECmd.exe offers a range of commands for parsing $MFT, including options to
export data in various formats for further analysis. Investigators can use commands like mftecmd.exe $MFT -o
timeline.csv to generate a timeline of file system activities based on $MFT timestamps. This timeline can be
invaluable for reconstructing events and understanding the sequence of file-related operations.
From Windows Powershell or CMD:
.\MFTECmd.exe -f $MFT --bdl C --body
c:\Blog_MFT\ --bodyf Example_MFT.body
To make the times more readable, see the next paragraph for MACTIME in
Linux.
MACTIME in Linux
For investigators working in a Linux environment, MACTIME is a powerful tool
for timeline analysis, including $MFT-based timelines. MACTIME can process the output generated by MFTECmd.exe or
directly parse $MFT images in Linux environments. This cross-platform compatibility makes it easier for forensic
analysts to collaborate and share findings across different operating systems.
From Linux You can sort the data to be more readable using:
mactime -d -y -b
DC01_FLS_tln.body > DC01_FLS_tln.csv
Alternatively you can
use MFTExplorer if you want an easy way to load the data. It might take a while to process though.
SANS / Zimmerman - MFT Explorer
Resources:
Post a Comment