Forensics notes
Short notes on NTFS internals, MFT structure, and digital forensics workflows.
Proving a file once existed on a Windows system
When a file is no longer on disk, the NTFS $MFT can still demonstrate it once existed — and, surprisingly often, what it contained and when it was touched.
$UsnJrnl and $MFT: pairing journal with file table
$MFT tells you the current state of every file on an NTFS volume. $UsnJrnl tells you how each one got there — together they reconstruct timeline evidence.
Master File Table (MFT): the NTFS $MFT explained
What the NTFS Master File Table is, how a record is laid out, which attributes it stores, and what to do when $MFT is corrupt.
How $MFT reveals a ransomware attack
Ransomware leaves a distinctive footprint in NTFS $MFT — mass extension changes, burst writes, orphaned originals, and shadow copy deletions over time.
MFT parser tools: MFTECmd, omerbenamram/mft, and browser
Three serious MFT parsers compared — MFTECmd on Windows, omerbenamram/mft for scripting, and a browser-side WebAssembly tool — and when to reach for which one.
How to recover deleted files from NTFS using the MFT
Step-by-step guide to recovering deleted files from NTFS using $MFT — how recovery works, which tools to reach for (TestDisk, R-Studio, FTK), and limits.
Building a forensic timeline from $MFT
Every MFT record carries eight timestamps that let you reconstruct a Windows volume's activity hour by hour, plus pair them with $UsnJrnl for a supertimeline.
How to parse an NTFS $MFT file in Python
Three working approaches to parsing an NTFS $MFT in Python — analyzeMFT, libmft, and shelling out to a fast Rust parser — with code samples and benchmarks.
Alternate Data Streams: hidden $DATA attributes on NTFS
Every NTFS file can carry multiple $DATA attributes. Each is a separate alternate data stream, invisible to most file listings and standard directory tools.
What is $MFTMirr and when does NTFS use it?
$MFTMirr is the backup of the first MFT records that lets NTFS recover from boot-area corruption. What it contains, where it lives, and how chkdsk uses it.
How to extract $MFT from a live Windows system
$MFT is locked while Windows runs. Three reliable ways to grab a forensically sound copy from a live system: fsutil reserve, FTK Imager, and KAPE targets.
Volume Shadow Copy and $MFT: recovering older MFTs
Each VSS snapshot contains its own point-in-time copy of $MFT. How to extract them, and what they tell you that the live MFT cannot.
NTFS MFT vs FAT: what changed for forensics
How NTFS replaced FAT's allocation table with the Master File Table, and what that swap means for forensic evidence recovery on modern Windows volumes.
What survives when you delete a file on NTFS
Deleting a file on NTFS rarely erases it. The MFT record, $STANDARD_INFORMATION, $FILE_NAME, and often $DATA all sit waiting to be reused.
Resident data: tiny files that live inside the MFT
Small files have their entire $DATA attribute stored directly in the MFT record. For forensics, this means recovery without ever touching the disk.
NTFS anti-forensics: attacker tactics on the MFT
Timestomping, alternate data streams, wiping, USN journal manipulation — the common anti-forensic techniques on NTFS and the artifacts each one leaves behind.
The four MFT timestamps and what timestomping looks like
Every MFT record carries two sets of four timestamps. Understanding why they diverge is the foundation of NTFS time analysis.
Inside an MFT record: signature, header, and attributes
A bytewise tour of one NTFS $MFT record — the FILE signature, the record header, the fixup array, and the attribute stream.