← Back to blog

Building a forensic timeline from $MFT

· 2 min read

A forensic timeline answers one question: what happened on this machine, in what order? On NTFS, $MFT is the densest single source for that answer. Every file and directory on the volume produces between four and eight timestamped events — and they are all in one file.

What you get from each record

Every MFT entry has two timestamp-carrying attributes:

  • $STANDARD_INFORMATION (SI) — created, modified, accessed, MFT-modified
  • $FILE_NAME (FN) — created, modified, accessed, MFT-modified

Each timestamp can be split into its own timeline event. A single file produces up to eight rows: "SI created", "FN created", "SI modified", and so on. Walking the whole MFT and emitting one row per timestamp gives you, in a single pass, a "supertimeline" of every file event the volume remembers.

How to lay it out

The canonical layout is mactime format — one row per event, sorted by timestamp:

2026-05-15T10:23:01Z|FILE|allocated|/Users/alice/notes.txt|SI created
2026-05-15T10:23:01Z|FILE|allocated|/Users/alice/notes.txt|FN created
2026-05-15T10:24:18Z|FILE|allocated|/Users/alice/notes.txt|SI modified

Six columns — timestamp, type, status, path, attribute, event — and your timeline is ready for grep and visualization.

Cross-reference for context

$MFT alone tells you when files changed. It does not tell you why. Pair it with:

  • $UsnJrnl for the sequence of filesystem operations
  • $LogFile for transaction-level detail in the seconds before a crash
  • Prefetch (.pf) files for evidence of program execution
  • Registry transaction logs for configuration changes

A timeline that merges these sources can often reconstruct an attacker's session minute by minute, even if individual logs were cleared.

Spot anomalies fast

Once your timeline is sorted, anomalies become visible:

  • A burst of file modifications at 3 a.m. followed by deletion — classic ransomware staging
  • A long-untouched system file with a fresh modified timestamp — possible persistence injection
  • Hundreds of files with the same creation second — bulk staging or installer footprint

The MFT does not interpret these; it just shows them. The interpretation is the analyst's job.

Related posts

External resources