← Back to blog

Proving a file once existed on a Windows system

· 2 min read

Forensic investigations frequently turn on a single question: was this file ever on this computer? Not "is it on the disk now?" — that's dir. The harder version is: can we show it was on the disk yesterday, last week, last year? For NTFS volumes, $MFT is usually the strongest answer.

What survives a delete

When a file is deleted on NTFS, the in-use bit in its MFT record is cleared, but the rest of the record stays. That record carries:

  • The full filename (in $FILE_NAME)
  • The parent directory reference
  • Four timestamps (created, modified, accessed, MFT-modified) — twice over, in SI and FN
  • The file's logical and physical size
  • For small files, the entire file contents (resident $DATA)
  • For larger files, the runlist of clusters that held the data

Each of those is direct evidence. A deleted MFT record with $FILE_NAME = secret-plan.docx, parent directory \Users\bob\Documents, and SI-created 2024-11-03T14:02:11Z demonstrates that a file by that name existed in that directory on that day, regardless of whether dir would show it today.

The strength of the evidence

Three properties make MFT records strong forensic evidence:

  1. NTFS writes them itself. They are not user-editable through normal Windows tools. A defendant cannot claim they were planted unless the entire $MFT was forged — a tall order.
  2. Eight timestamps cross-check each other. Manipulation usually shows: SI changed but FN unchanged is a hallmark of timestomping.
  3. $UsnJrnl and $LogFile corroborate. If $MFT says a file was created at time T, the change journal should record the create event at the same time. Discrepancies are themselves evidence.

What you cannot prove from $MFT alone

$MFT proves the file existed in a particular directory at a particular time. It does not prove:

  • Who created or accessed it — that requires Security event logs
  • What program produced it — Prefetch and ShimCache help here
  • What was inside it, for large files — unless you recover the data clusters
  • Whether it was ever opened by a user — Jump Lists and LNK files are more useful

A complete answer usually fuses $MFT with the surrounding artifacts. But $MFT is the cornerstone — without it, the other pieces have nothing to anchor to.

Related posts

External resources