The master file table mirror of NTFS – $MFTMirr

I have found some sources suggesting that NTFS stores a partial copy of the master file table (MFT) at a different location, called $MFTMirr:


The sources do not mention how much is "partial". Perhaps the first few levels of depth?

How often is the MFT mirror updated? With each mount? Immediately after writing? And how to find it using string search?

If the beginning of the file system is destroyed, the logical block address reference to the MFT mirror is presumably destroyed as well, so string-searching for it is the only way to discover it.

Posted : 14/12/2022 2:33 pm
I opened an old NTFS flash drive (16 GB) in IsoBuster, and from what I can see in the file listing, $MFTMirr is just 4 KB in size. The sector viewer that shows the bytes and hexadecimal values shows that both $MFT and $MFTMirr start with "FILE0". Apparently, NTFS treats those as regular files, they are just hidden by the operating system.

$MFTMirr is stored at an offset of just 8 KB into the file system. Those first 8 KB are occupied by $Boot.

The main $MFT is located at exactly 3 GiB into the 16 GB (14.9 GiB) file system and is 2.5 MiB in size.

I presume that the offset for $MFT changes with the volume size.

Posted : 14/12/2022 2:46 pm