NTFS MFT Record Parsing + Parser

Before I begin, there are a few concepts that you will need to understand before retrieving the deleted file from your hard drive. If you already know the items below, that’s great! If not, please continue to review. At the end of this blog I provide an encase script that will extract the MFT data from a drive. You can access this in my github.

First you will have to understand:

  • Virtual clusters from the disk.
  • The Master File Table record entries

Below is a basic high level diagram of clusters, sectors and bytes.

UNVC_Diagram

 

What is the MFT?

It’s generally metadata about a file.

Below is a high level view of the MFT record structure.

MFTMFTentry

MFT Header

The header will generally tell you the information of the record entry itself. This information will help you find the offsets to the meat of the information you need. Also, you can use this information to recreate the file structure hierarchy. The typical length of the header is 56 Bytes.

Name

# of Bytes

Record Offset

Detail

Signature

4

0

Begins the record, this
is typically FILE. When the entry is corrupt this will be BAAD.

Fix Up Array pointer

2

4

This is typically 0x30

Fix up count

2

6

This is typically 0x0003

$Logfile
Sequence # (LSN)

8

8

$Logfile
sequence number. This is a 48 bit number that is incremented every 16 bits
when each record is added

Sequence Number

2

16

Sequence # + LSN = File
Reference Address (64bit).

Hard link count

2

18

The number times this
file is referenced

Offset to First Attribute

2

20

This is typically 0x38. It is important because it will help find the first
attribute

Usage Flags

2

22

These flags will
determine if its allocated (0x01) and/or the entry is a directory (0x02)

MFT record logical Size

4

24

This will help determine
when the record ends, this is helpful if you are
trying to pull MFT records from unallocated space.

MFT record physical size

4

28

This size is typically
1024 bytes

Parent Directory Record #

8

32

This will help build the
file structure of the volume

Next Attribute ID

2

40

For Windows XP

Padding

2

42

For Windows XP

MFT record #

4

44

 

Padding

0-8

48

This is typically 8 bytes

Attribute Types

Defined in $AttrDef

Name

Byte ID

Detail

$Standard_Information

0x10

 

$Attribute_List

0x20

 

$File_Name

0x30

 

$Volume_Version

0x40

This is for Windows NT
Versions

$Object_ID

0x40

This is for Windows 2K
Versions

$Security_Descriptor

0x50

 

$Volume_Name

0x60

 

$Volume_Information

0x70

 

$Data

0x80

 

$Index_Root

0x90

 

$Index_Allocation

0xA0

 

$Bitmap

0xB0

 

$Symbolic_Link

0xC0

This is for Windows NT
Versions

$Reparse_Point

0xC0

This is for Windows 2K
Versions

$EA_Information

0xD0

 

$EA

0xE0

 

$Property_Set

0xF0

This is for Windows NT
Versions

$Logged_Utility_Stream

0x100

This is for Windows 2K
Versions

AttributeStructure

Attribute Header

for both Non-Resident & Resident Attributes

Name

# of Bytes

Record Offset

Attribute Type (Reference
the Attribute table above. For parsing, capture this data as little endian)

4

0

Length of Attribute (This
will be offset to the next attribute)

4

4

Non-Resident Flags

1

8

Length of Name

1

9

Offset to name

2

10

Flags (0x00 = Resident
and 0x01 = Non-Resident)

2

12

Resident Attribute Header Continuation

Name

# of Bytes

Record Offset

Attribute ID

2

14

Size of Content

4

16

Offset to Content

2

20

Non-Resident Attribute Header Continuation

Name

# of Bytes

Record Offset

Attribute ID

2

14

Starting VCN (Starting
Virtual Cluster Number of the runlist)

8

16

Ending VCN (Ending
Virtual Cluster Number of the runlist)

8

24

Offset to Runlist

2

32

Compression unit size

2

34

Padding

4

36

Logical Content Size

8

40

Physical Content Size

8

48

Initialized Content Size

8

56

Attribute Content

Standard Attribute

Name

# of Bytes

File Creation Time

8

File Modified Time

8

MFT Modified Time

8

File Accessed Time

8

DOS Permissions

4

Max # of Versions

4

Class ID

4

Owner ID (This is with
Windows 2K versions)

4

Security ID (This is with
Windows 2K versions)

4

Quota (This is with
Windows 2K versions)

8

Update Sequence Number
(USN) (This is with Windows 2K versions)

8

Filename Attribute

Name

# of Bytes

MFT Parent Directory #

6

Sequence Number Parent Directory

2

File Creation Time

8

File Modified Time

8

MFT Modified Time

8

File Accessed Time

8

Logical File Size

8

Physical File Size

8

Flags

4

For EA and Reparse

4

Security ID

4

Filename length

1

Filename (Unicode)

 

Volume Name Attribute

Name

# of Bytes

Size of Content from
header

N

Data Attribute

If the size is too large for MFT record, the data will be a non-resident attribute header. This is where you use the VCN or cluster runlist to find the data. This is how deleted files can be recovered.

Name

# of Bytes

Size of Content from
header if the Attribute is Resident

N

Data Run Lists

Header: # of bytes
in Run Offset / nibble

Header: # of bytes in run Length / nibble

Run Length in Contigious Clusters/ 1

Run Offset in Clusters (little endian)/2

Example

Test.txt’s data runlist

21 02 1101 11 02 04

2

1

02

1101 or 0x111

1

1

02

04

# of bytes of the cluster

# of bytes to describe
the # of contiguous clusters

# of Contiguous clusters
starting at 273

Start at Cluster 273

# of bytes of the custer

# of bytes to describe
the # of contiguous clusters

# of Contiguous clusters
starting at 277

273+4 = 277 offset

MFT Parser

(Encase Enscript)

This EnScript will parse MFT records from files chosen in the case. An Encase search function is performed to find all MFT signatures (“FILE”) then validate and sort the records into four categories. These categories include Complete MFT record, Partially Parsed MFT record, Cannot Parse (Unable to Parse but valid header properties), and Not a MFT record.

User Interface Options

User has the option of renaming the repository bookmark folder.
image001

 

 

 

 

Bookmark folders created.

image002

Record folders created.

image003

Console Output Example

image004

 

Complete MFT Record

This category’s function is to fully
parse the following attributes:

  • Standard Information
  • File Name
  • Object ID
  • Volume Name
  • Volume Information
  • Data – this attribute is shown in ANSI string format
  • Index Root
  • Index allocation – this attribute will only produce the non-resident attribute information
  • Reparse Point

**All other Attributes are ignored.

These fully parsed records are imported into the EnCase “Records” Tab were the user must choose Local fields to view all columns of information. An example is shown below:

image005

Below is an example of the records tab with columns chosen.

**Note that these records were recovered from unallocated space.

image006

 

Partially Parsed MFT Record

This category’s function will parse only the MFT header and the first valid timestamp. Because the header cannot be correctly parsed, the common offsets for the header and one timestamp will be extracted from the data and imported into the records tab. These partial records will be bookmarked up to 1024 bytes.
Below is an example of the data Parsed from a potential MFT in Unallocated Space

**Note that this drive was once encrypted and reformatted

image008

 

Cannot Parse

This category’s function will take
any MFT record that does not contain any valid information in the header and
bookmark up to 1024 bytes.

 

Not a MFT record

This category’s function will ignore
false positives that the Encase search function finds.