I am currently working on some new software and I am trying to locate the $mft, I was able to find information about Fat based systems but from what I am reading NTFS has a different location for the $MFT, is there a byte location to look at when examining a drive image for the mft or should I look for a series of bytes to show the location of the mft? I am a bit confused as to how to read the mft, but I hope to get it right through research.
Thanks for all the help.
Ryan Manley
Here are two excellent resources
File System Forensic Analysis, by Carrier; Publisher Addison Wesley; ISBN 0-32-126817-2
Search for NTFS Documentation by Richard Russon and Yuval Fledel if it isn't at http//
Microsoft considers NTFS to be proprietary and won't discuss details, so reverse engineering is the best available technique for understanding it.
I'll second the "File System Forensic Analysis" Book. Good resource and very detailed.
NTFS is different than FAT in that there is no specific "system area" and everything is treated as a file. The starting location (cluster) of the $MFT can be found in the volume boot sector (offsets 48-55 I believe).
That book is an invaluable resource. Definitely should be in every forensics examiners library!
I have that book actually i was a bit confused on how to read the file, how is $mft stored if its recognized as a file is it possible to be accessed while within the OS or is it hidden so well that it can only be read at the byte level. Thanks for the fast responses and that is a really good book just i get a bit confused lol
I'm not an expert by any stretch of the imagination, and my experiences with $MFT have really just begun. That being said.
NTFS treats everything as a file. $MFT, $Boot, $MFTMirr…they are all files according to NTFS. All are hidden, and all are system files. $MFT can be found anywhere on the volume. I know FTK will identify the $MFT file, and I suspect most others will, however, I don't believe it will break down the individual FILE0/FILE* records contained within the $MFT.
To echo the posts of the others, Brian Carrier's book is your friend in this particular area.
To find the actual $MFT in use, you need to examine the $Boot file, which is found in the first sectors of the volume. The actual starting logical cluster extent of the $MFT is located at offset 0x30 (48 decimal) I believe, and goes for 8 bytes (remember…Little Endian!)
Once you've got the starting cluster, it's time to start work!
I think that The Sleuth Kit (TSK) can handle some of the $MFT work, but in order to get a GOOD understanding of it, you should break at least a part of it down manually so you understand how the file record header and each file attribute that is found in that record (usually $STANDARD_INFORMATION, $FILE_NAME, $DATA, but there can be a host of others).
Good luck!
Chris
Thanks for the help I will experiment with a few 1gb flash drives to get a feel for how it stores the data.
Keep in mind that most flash drives are sent from the factory with a FAT filesystem..you'll need to format it NTFS!
Take care!
Chris
xaberx, can I ask what type of software you are writing for NTFS?