Home Navigation

Recent Events Recent Events
Upcoming Courses Upcoming Courses

Contact Information

TELEPHONE:

Sales & Technical Support
(800) 852-0300

EMAIL:

info@forensics-intl.com
Technical Support:
support@forensics-intl.com

Information

Master File Table Defined

The Master File Table (MFT) is the heart of the Microsoft Windows NT file structure. It is a file - a special system file that is essentially a database which contains information on all the files and subdirectories located within the NTFS logical volume (partition). Like any database, the MFT is a collection of records. There is at least one record for every file and subdirectory on the NTFS logical volume. Each record is 1024 bytes in length and contains information, known as attributes, that tell the system how to deal with the file or directory associated with the record.

One of the most interesting facts about the MFT is that it sometimes stores the actual file data along with all the system data relating to the file. Data stored inside the MFT is known as resident data. This can have significant meaning concerning computer security issues regarding the potential leakage of sensitive data. It is also interesting that there is no file slack associated with a file whose data is stored inside the MFT. The reason is that, by definition, it is that area from the end of the file to the end of the last cluster associated with the file. In this case, the data does not reside in a cluster; it resides in the MFT file. However, there still can be slack, but it is a different kind of slack. If the full 1024 bytes of an MFT entry is not used, the record can contain information from previous files. This is known as MFT slack. Knowledge of its existence is important for investigators and computer security specialists because a computer forensics utility that captures file slack does not capture MFT slack. NTI has specialized tools which are used to process and examine the $MFT file, which is the formal name of the MFT file. This special file and related issues are covered in detail in the NTI 5 Day Computer Forensics Training Course and software is provided to the participants.

A set of eight trial illustration posters is available to assist in visually explaining some of the technical terminology you may be called on to explain to a non-technical jury or judge.