Understanding NTFS Architecture, MFT, and Basics of NTFS Forensics

Post category:Microsoft / Windows Storage
Post published:May 19, 2020
Post last modified:August 2, 2024

Introduction

NTFS is been there for quite a while, it’s a year younger than me. NTFS ( New Technology File System ) was first introduced in the 1993 release of Windows NT 3.1. Since then it has seen many changes but the core fundamentals remain the same.

NTFS (New Technology File System) is a proprietary file system developed by Microsoft. It is the standard file system used in Microsoft’s Windows NT operating systems (including Windows 2000, XP, Vista, 7, 8, and 10) and their successors.

It provided a combination of reliability, performance, and scalability in such a way that Microsoft never thought of any need to replace it even after 27 Years of its release.

So NTFS is a File System just like any other File System its code resides in a file with the name NTFS.sys and it’s a kernel Mode Driver running in the background and comes into the picture as soon as you format a Volume in NTFS Format:

Pre-requisite

A basic understanding of Windows Storage is required. I will recommend you go through the below articles first:

Understanding Master Boot Record (MBR)

Understanding Master Boot Sector (MBS)

Understanding Windows Storage Stack

How a File is created in an NTFS Volume:

When NTFS stores a file, it starts by creating a small 1KB file record segment that we will call the base record. Every file starts like this, including the special hidden files such as $MFT, $LOGFILE, $VOLUME, and so on. In fact when we refer to the MFT (master file table), what we are talking about is the entire list of base record segments and child record segments (explained later) for all files in the volume.

Demo

We will Do a demo in which we will create a file and explain the way it is stored on the NTFS volume

Create a New NTFS Volume

2. Create a Text File with a Size Less than 1KB.

3. Jump to MBR and then MBS using Hex Editor.
There are a lot of Free Hex Editors in the Market so you can use anyone. In case if you are new to this you can use HxD: https://mh-nexus.de/en/hxd/

MBR (Master Boot Record):

From the Figure, we can see that the First Sector of the Volume is 0x80: which is Sector number 128 in Decimal. Jumping to Sector 128 we will find MBS:

80 00 00= 00 00 80
00 00 80 = 0x80 (Hex)
0x80 (Hex)  = 128 (Decimal)

Find the Location of MFT using the Highlighted String Below:

Let’s understand how we can convert this to Hex Now:
The Value is in Little Endian Format

55 54 01 00 00 00 00 00 = 00 00 00 00 00 01 54 55
00 00 00 00 00 01 54 55 = 0x015455 (Hex)

0x015455 (Hex) = 87125 (Decimal)

You can also use the Data inspector in the HxD tool to get this information

Now for you to Find the Location of MFT you will have to use the below concept:
The master file table begins at the cluster

0x015455 = 87125 or (87125 x 8) i.e. sector 6,97,000.

This is the LBA within the partition, so we add to this the number of previous sectors if we want to go to the physical sector number.
That is, the MFT begins at the location

1285+6,97,000 = 697128.

( (Location of MFT in MBS) x 8 ) + 128 = 128 Location of MFT on Disk
( ( 87125 ) x 8 ) + 128 = 697128

Jump to Location 697128 and you will find the First Entry of MFT. Please note that the First entry of MFT is MFT Itself.

Understanding Master File Table ( MFT ):

Every Block in MFT starts with the name: FILE0
The first 35 MFT Blocks are used by NTFS(System) i.e. 0 to 34th.
35th MFT block Stores the information about the Data File.
Every Block of MFT is 1024 Bytes Logs (1KB).
If we are currently on 697128 then the first user block will be on 697128+70 = 697198.

Note: Why 70:: 35*2 = 70 ( Since every MFT is stored in 2 sectors as every sec is 512 bytes long)

Now once the volume is created there will be a few more entries for folders like “System Volume Information” as they are created by Default, so from here you will have to search for the MFT Entry with an Entry of Your Filename, in my case it is asd.txt

Resident Files

When a file’s attributes can fit within the MFT file record for that file, they are called resident attributes (File Attributes also include data attributes).
Information such as file name and time stamp are always resident attributes.
This also means that the entire file exists in the MFT. No need to look elsewhere. Everything we need is in that 1KB record
Red Circle in the Image Below Shows if a File is a Resident or Non-Resident. In the Image below Resident file is denoted by 00

Non-Resident Files

When the information for a file is too large to fit in its MFT file record, some of the file attributes are non-resident.
Non-resident attributes are allocated one or more clusters of disk space and stored as an alternate data stream in the volume.
NTFS creates the Attribute List attribute to describe the location of both resident and non-resident attribute records.
Non-Resident is denoted by 01

Now once you have an idea about the architecture you can easily recover a Volume or any read files from the Hex Editor even if they are deleted. Post some more understanding you can recover them as well.

Ashutosh Dixit

I am currently working as a Senior Technical Support Engineer with VMware Premier Services for Telco. Before this, I worked as a Technical Lead with Microsoft Enterprise Platform Support for Production and Premier Support. I am an expert in High-Availability, Deployments, and VMware Core technology along with Tanzu and Horizon.