I am currently working on deconstructing the $MFT from a imaged drive, I am currently using Brian Carriers File System Forensic Analysis(Ch 11-12) to try and read the MFT at the byte level I have found how to pull the file name and recognize it as it maintains an offset each time but is there a mark I can look for that indicates if the file was deleted and where the file data is actually stored? The book is very helpful in getting me started just I was wondering if anyone had expierence with working on Image file $MFT at the byte level for NTFS. Thanks I am also running into difficulty pulling last Access dates\creation\modifaction dates aswell I think I found the block of hex that controls it but to decrypt it will be a pain.
Thanks any Help is appreciated
Does anyone know of a white paper besides the book mentioned above for $MFT?
Ryan Manley
Xabersoft
Carrier's book is excellent. It is the definitive published reference for this stuff.
Training and experience give you the rest.
Yes, there is a two byte flag in a specific location in the MFT header that tells whether the file or folder is deleted or active.
Dates are given in both the 0x10 and 0x30 attributes after the attribute header. They are "decrypted" in a very normal way.
The file data may be stored in the MFT entry or may be in another location. The data runs show where it is stored.
Yes, the entire MFT contains all that you are looking for.
Carriers book is the right thing for you to be reading.
Ok I will take a look a bit further into chapter 12 and 13. as far as decrypting the date and time i may not be pulling the right\right number of bytes when I am looking at it (this will just take practice) The book has been invaluable so far as its provided so much information and insite I am jsut having issues using it from within an image file rather than pulling from a drive directly.
Thanks for the help I will continue my research and deconstruction to hopefully produce a great forensic tool.
Ryan Manley
Xabersoft
If you have the means to acquire X-Ways Forensics, I think you'll find that it does a remarkable job of parsing an MFT record. Through the highlighting and mouse over features, you can identify each attribute quite readily. I think that you'd find it helpful in visualizing what Brian Carrier's book describes.
For time and date, look to the Standard Information Attribute (Attribute Identifier 10 00 00 00 or 0x10). The date and time stamps you want to pull are located here. There are other time stamps in other attributes, as cfprof stated, but they may or may not be updated regularly.
I agree with Jimmy…once you feel like you understand how the $MFT is constructed, the best thing to do is grab X-Ways and highlight to your hearts content. Saved me a ton of time. If you have a specific question, shoot me a PM with your contact information and I'd be glad to try to do whatever I can to help. I also "fourth" Brian Carrier's book. Great stuff!
Chris
Which of the XWays tools in specific does the MFT Parsing?
Which of the XWays tools in specific does the MFT Parsing?
The WinHex based products. Personally I use the X-Ways Forensics product.
It's only the Forensic edition.
It's only the Forensic edition.
I was thinking the Investigator version did as well. Thanks for clarifying.