Forensics notes
Short notes on NTFS internals, MFT structure, and digital forensics workflows.
Proving a file once existed when it is no longer on disk
When dir comes back empty, $MFT often still answers. A practitioner's guide to demonstrating prior existence of a file from NTFS metadata, with the caveats that hold up in review.
Pairing $UsnJrnl with $MFT for a real timeline
$MFT is a snapshot. $UsnJrnl is the sequence of changes that produced it. A practitioner's view on pairing them, what the reason codes mean, and where the journal lies.
Master File Table (MFT): the NTFS $MFT explained
What the NTFS Master File Table is, how a record is laid out, which attributes it carries, what the system files at the start mean, and what to do when $MFT is corrupt.
What ransomware looks like in $MFT
Mass extension changes, burst writes, deleted originals, and the patterns that show up in the Master File Table during an encryption run. A practitioner's view on triage.
MFT parsers that actually hold up: MFTECmd, omerbenamram/mft, and browser parsing
Three serious MFT parsers compared by someone who uses all three. When to reach for MFTECmd, when to script with omerbenamram/mft, and when the browser parser is the right answer.
Recovering deleted files from NTFS using the MFT
A practitioner's recovery workflow on NTFS: when deleted files are recoverable, the tools to reach for, the cases where the data is genuinely gone, and the resident-data trick.
Building a timeline from $MFT that survives review
A practitioner's approach to MFT-based timelining: which timestamps to emit, how to merge with USN and event logs, and where naive supertimelines mislead.
Parsing $MFT from Python without losing your weekend
Three working approaches to parsing NTFS $MFT in Python: analyzeMFT for pure-Python, libmft for a typed object model, or shelling out to a Rust parser when speed matters.
Alternate Data Streams: the second $DATA attribute everyone forgets
Named $DATA attributes ride alongside the file you can see. A practitioner's view on where ADS hides, what Windows uses them for, and why MFT triage finds them when per-file enumeration does not.
What $MFTMirr actually does and when NTFS uses it
$MFTMirr mirrors the first records of $MFT so the volume can mount when the main table's header is unreadable. Where it lives, what it holds, and the cases where it earns its keep.
Extracting $MFT from a live Windows host without breaking it
Three reliable ways to grab a forensically sound $MFT from a running Windows system, the mistakes that quietly corrupt the copy, and what to verify before you trust the file.
Volume Shadow Copy and $MFT: every snapshot is a frozen MFT
Each VSS snapshot holds a complete point-in-time $MFT. How to enumerate, mount, extract, and diff them, plus the cases where snapshots save investigations.
Why NTFS gives forensics so much more than FAT ever did
FAT records the next cluster. NTFS records everything. A practitioner's view on what the move from FAT to the Master File Table actually changed for evidence recovery.
What actually survives when a file is deleted on NTFS
Deletion on NTFS clears one bit and updates an index entry. The record, the attributes, and frequently the data sit waiting. A practitioner's view on what is recoverable and for how long.
Resident data: tiny files that live inside the MFT
Small files store their entire $DATA attribute inside the MFT record. The size threshold, the cases this saves your investigation, and the limits of the trick.
NTFS anti-forensics: what attackers actually do, and what gives them away
Timestomping, ADS payloads, USN deletion, MFT scribbles. A practitioner's catalog of NTFS anti-forensics with the specific artifacts each technique fails to scrub.
The four MFT timestamps and how timestomping shows in them
Every MFT record carries two sets of four timestamps. Why they diverge, what the divergence looks like under tampering, and the sub-second tell that catches lazy tools.
Inside an MFT record, byte by byte
A close reading of one 1,024-byte FILE record: the signature, the header, the fixup array, the attribute stream, and the fields that matter when you are reading raw bytes in a hex editor.