Master File Table (MFT), NTFS, $LogFile, and $UsnJrnl: Forensics

PreviousSRUM (System Resource Usage Monitor)Next🔹 Windows System Processes

Last updated 4 months ago

Master File Table (MFT), NTFS, $LogFile, and $UsnJrnl: Forensics

Introduction

The Master File Table (MFT), New Technology File System (NTFS), $LogFile, and $UsnJrnl are critical components of the NTFS file system. These structures serve as the backbone of modern file systems and are invaluable in the field of digital forensics. Their intricate design allows forensic investigators to reconstruct activity timelines, detect malicious behavior, and uncover hidden evidence.

1. Master File Table (MFT)

Overview

The Master File Table (MFT) is the central database in the NTFS file system, containing metadata about every file and directory. Each file or directory has a corresponding record in the MFT, including system files.

Structure

Each MFT entry consists of:

File Reference Number: Unique identifier for each file.
Standard Information Attribute: Contains timestamps such as creation, modification, access, and entry modification.
File Name Attribute: Stores the name and parent directory information.
Data Attribute: Points to the location of the file’s content on disk (either resident or non-resident).
Other Attributes: Security descriptors, object IDs, and more.

Forensic Benefits

File Activity Timeline: MFT provides creation, modification, and access timestamps, crucial for reconstructing timelines.
Deleted File Recovery: Metadata in the MFT remains even if files are deleted, enabling recovery.
Correlation with Other Artifacts: MFT data can corroborate findings from other NTFS structures like $LogFile and $UsnJrnl.

Tools for Analysis

MFTECmd: Parses MFT records for detailed analysis.
Autopsy/Sleuth Kit: Includes modules to extract and analyze MFT data.
FTK Imager: Allows raw access to the MFT.

2. New Technology File System (NTFS)

Overview

NTFS is a journaling file system introduced by Microsoft to provide improved reliability, security, and performance over previous file systems like FAT32. It supports advanced features such as encryption, compression, and large file sizes.

Key Features

Journaling: Tracks file system changes to ensure data integrity after crashes.
Permissions and Security: Integrates with Access Control Lists (ACLs).
File Compression: Saves disk space without affecting access speed.
Sparse Files: Optimizes storage by only allocating disk space for non-zero data.

Forensic Benefits

Comprehensive Metadata: NTFS structures, including the MFT and $LogFile, provide a wealth of forensic data.
File Recovery: Journaling and metadata aid in recovering corrupted or deleted files.
Activity Analysis: Correlation of multiple NTFS artifacts helps identify malicious or unauthorized activity.

Tools for Analysis

X-Ways Forensics: Provides detailed NTFS analysis.
AccessData FTK: Comprehensive file system investigation capabilities.
EnCase: Offers robust NTFS parsing and artifact extraction.

3. $LogFile

Overview

The $LogFile is a transactional log that records changes to the NTFS volume. It ensures data consistency in the event of a system crash by replaying or rolling back transactions during recovery.

Structure

Metadata Records: Logs changes to MFT entries, directory structures, and volume metadata.
Redo/Undo Records: Contains instructions for replaying or undoing changes.

Forensic Benefits

Granular Changes: Tracks detailed file and directory modifications.
Failed Operations: Logs incomplete transactions, revealing potential tampering.
Historical Insights: Provides insights into past activity, even if logs are partially overwritten.

Tools for Analysis

LogFileParser: Extracts and decodes $LogFile records.
X-Ways Forensics: Parses $LogFile to identify system changes.
WinHex: Allows manual inspection of $LogFile contents

4. Update Sequence Number (USN) Journal ($UsnJrnl)

Overview

The $UsnJrnl tracks changes to files and directories on NTFS volumes. It’s enabled by default on modern Windows systems to support features like File History and indexing.

Structure

Change Journal Metadata: Stores volume and journal settings.
Records: Each record contains information about the file, the type of change (create, delete, rename, etc.), and timestamps.

Forensic Benefits

Change Tracking: Logs file system events, revealing activity even if traditional logs are unavailable.
File Deletion Evidence: Tracks deletions, renames, and attribute changes.
Timeline Reconstruction: Provides precise timestamps for file system events.

$Extend\$UsnJrnl: Tracks file and directory changes on an NTFS volume.

$Max: Contains metadata about the USN Journal configuration.
$J: Contains records of filesystem operations.

We can see the two files in our Cases folder

Tools for Analysis

UsnJrnl2Csv: Converts USN Journal records to a readable format.
RECmd: Extracts and analyzes $UsnJrnl data.
X-Ways Forensics: Includes functionality to parse $UsnJrnl records.

Summary

The MFT, NTFS, $LogFile, and $UsnJrnl are integral components of the NTFS file system that serve operational and forensic purposes. They provide:

Detailed metadata and event logs for forensic timelines.
Evidence of file creation, deletion, and modification.
Resilience against data loss due to journaling.

By leveraging tools like MFTECmd, LogFileParser, and X-Ways Forensics, investigators can uncover hidden evidence, reconstruct events, and ensure the integrity of their findings. These artifacts are a cornerstone of digital forensics, making NTFS-based investigations robust and reliable.

PreviousSRUM (System Resource Usage Monitor)Next🔹 Windows System Processes

Last updated 4 months ago

Introduction

1. Master File Table (MFT)

Overview

Structure

Each MFT entry consists of:

File Reference Number: Unique identifier for each file.
Standard Information Attribute: Contains timestamps such as creation, modification, access, and entry modification.
File Name Attribute: Stores the name and parent directory information.
Data Attribute: Points to the location of the file’s content on disk (either resident or non-resident).
Other Attributes: Security descriptors, object IDs, and more.

Forensic Benefits

File Activity Timeline: MFT provides creation, modification, and access timestamps, crucial for reconstructing timelines.
Deleted File Recovery: Metadata in the MFT remains even if files are deleted, enabling recovery.
Correlation with Other Artifacts: MFT data can corroborate findings from other NTFS structures like $LogFile and $UsnJrnl.

Tools for Analysis

MFTECmd: Parses MFT records for detailed analysis.
Autopsy/Sleuth Kit: Includes modules to extract and analyze MFT data.
FTK Imager: Allows raw access to the MFT.

2. New Technology File System (NTFS)

Overview

Key Features

Journaling: Tracks file system changes to ensure data integrity after crashes.
Permissions and Security: Integrates with Access Control Lists (ACLs).
File Compression: Saves disk space without affecting access speed.
Sparse Files: Optimizes storage by only allocating disk space for non-zero data.

Forensic Benefits

Comprehensive Metadata: NTFS structures, including the MFT and $LogFile, provide a wealth of forensic data.
File Recovery: Journaling and metadata aid in recovering corrupted or deleted files.
Activity Analysis: Correlation of multiple NTFS artifacts helps identify malicious or unauthorized activity.

Tools for Analysis

X-Ways Forensics: Provides detailed NTFS analysis.
AccessData FTK: Comprehensive file system investigation capabilities.
EnCase: Offers robust NTFS parsing and artifact extraction.

3. $LogFile

Overview

The $LogFile is a transactional log that records changes to the NTFS volume. It ensures data consistency in the event of a system crash by replaying or rolling back transactions during recovery.

Structure

Metadata Records: Logs changes to MFT entries, directory structures, and volume metadata.
Redo/Undo Records: Contains instructions for replaying or undoing changes.

Forensic Benefits

Granular Changes: Tracks detailed file and directory modifications.
Failed Operations: Logs incomplete transactions, revealing potential tampering.
Historical Insights: Provides insights into past activity, even if logs are partially overwritten.

Tools for Analysis

LogFileParser: Extracts and decodes $LogFile records.
X-Ways Forensics: Parses $LogFile to identify system changes.
WinHex: Allows manual inspection of $LogFile contents

4. Update Sequence Number (USN) Journal ($UsnJrnl)

Overview

The $UsnJrnl tracks changes to files and directories on NTFS volumes. It’s enabled by default on modern Windows systems to support features like File History and indexing.

Structure

Change Journal Metadata: Stores volume and journal settings.
Records: Each record contains information about the file, the type of change (create, delete, rename, etc.), and timestamps.

Forensic Benefits

Change Tracking: Logs file system events, revealing activity even if traditional logs are unavailable.
File Deletion Evidence: Tracks deletions, renames, and attribute changes.
Timeline Reconstruction: Provides precise timestamps for file system events.

$Extend\$UsnJrnl: Tracks file and directory changes on an NTFS volume.

$Max: Contains metadata about the USN Journal configuration.
$J: Contains records of filesystem operations.

We can see the two files in our Cases folder

Tools for Analysis

UsnJrnl2Csv: Converts USN Journal records to a readable format.
RECmd: Extracts and analyzes $UsnJrnl data.
X-Ways Forensics: Includes functionality to parse $UsnJrnl records.

Summary

The MFT, NTFS, $LogFile, and $UsnJrnl are integral components of the NTFS file system that serve operational and forensic purposes. They provide:

Detailed metadata and event logs for forensic timelines.
Evidence of file creation, deletion, and modification.
Resilience against data loss due to journaling.