MFT (Master File Table)
What is MFT (Master File Table)?
MFT (Master File Table)The core NTFS metadata structure that stores one 1024-byte record per file or directory on a volume, anchoring nearly all Windows file-system forensics.
The Master File Table ($MFT) is the heart of the NTFS file system; every file, directory, and even the MFT itself is represented by a fixed-size record containing attributes such as $STANDARD_INFORMATION, $FILE_NAME, and $DATA. Forensic analysts parse the MFT to recover timestamps (the four MACB times in both $SI and $FN), file sizes, parent-child relationships, alternate data streams, and resident file content for very small files. Deleted entries often remain recoverable until reused, making the MFT essential for timeline analysis and anti-forensic detection. Tools such as MFTECmd, analyzeMFT, and Velociraptor extract and normalise records for triage.
● Examples
- 01
Recovering the original filename and creation time of a wiped malware sample from a resident $MFT record.
- 02
Detecting timestomping by comparing $STANDARD_INFORMATION and $FILE_NAME timestamps within the same MFT entry.
● Frequently asked questions
What is MFT (Master File Table)?
The core NTFS metadata structure that stores one 1024-byte record per file or directory on a volume, anchoring nearly all Windows file-system forensics. It belongs to the Forensics & IR category of cybersecurity.
What does MFT (Master File Table) mean?
The core NTFS metadata structure that stores one 1024-byte record per file or directory on a volume, anchoring nearly all Windows file-system forensics.
How does MFT (Master File Table) work?
The Master File Table ($MFT) is the heart of the NTFS file system; every file, directory, and even the MFT itself is represented by a fixed-size record containing attributes such as $STANDARD_INFORMATION, $FILE_NAME, and $DATA. Forensic analysts parse the MFT to recover timestamps (the four MACB times in both $SI and $FN), file sizes, parent-child relationships, alternate data streams, and resident file content for very small files. Deleted entries often remain recoverable until reused, making the MFT essential for timeline analysis and anti-forensic detection. Tools such as MFTECmd, analyzeMFT, and Velociraptor extract and normalise records for triage.
How do you defend against MFT (Master File Table)?
Defences for MFT (Master File Table) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for MFT (Master File Table)?
Common alternative names include: $MFT, Master File Table.
● Related terms
- forensics-ir№ 001
$UsnJrnl ($J)
The NTFS Update Sequence Number change journal that records every file-system operation, giving forensic investigators a high-resolution timeline of file creation, modification, and deletion.
- forensics-ir№ 1034
Shimcache (AppCompatCache)
A Windows registry value that tracks executable metadata for application-compatibility checks; historically used as execution evidence, with important interpretation caveats.
- forensics-ir№ 043
Amcache.hve
A Windows registry hive that records detailed metadata about every executable that has run or been present on a system, including SHA-1 hashes, providing strong execution evidence on modern Windows.
- forensics-ir№ 850
Prefetch Files
Windows .pf files in C:\Windows\Prefetch that record process startup data and provide strong forensic evidence that an executable ran on a system.
- forensics-ir№ 766
Order of Volatility
The acquisition priority defined by RFC 3227 that requires forensic responders to collect the most ephemeral evidence first, before it is overwritten or lost.
● See also
- № 1031Shellbags
- № 568Jump Lists
- № 787pagefile.sys
- № 474hiberfil.sys
- № 388Eric Zimmerman's EZ Tools