by Mark Stam


The Master File Table or MFT can be considered one of the most important files in the NTFS file system, as it keeps records of all files in a volume, the physical location of the files on the drive and file metadata. One of the most important tasks of a computer forensics expert is making file artifacts and metadata visible.

What you will learn:

  • How to locate file artifacts and metadata within the Master File Table

  • How to recover file data with FTK Imager

What you should know:

  • Familiarity with the normal layout of a Windows File System

This article describes, in a straightforward manner, the process of extracting NTFS file system data from a physical device. NTFS uses the Master File Table (MFT) as a database to keep track of files. We can use the MFT to investigate data and find detailed information about files. In this example I use FTK Imager to find a picture (JPEG file) in Windows 7.


Open the Physical Drive of my computer in FTK Imager. The contents of the Physical Drive appear in the Evidence Tree Pane. Click the root of the file system and several files are listed in the File List Pane, notice the MFT. Click this file to show the contents in the Viewer Pane.


Figure 1. FTK Imager Panes


Click the Viewer Pane and press the CTRL + F keys to open up the Find function. Search for pictures and perhaps decide to enter the common term “IMG”.

Figure 2. Search for file artifacts in the MFT (FTK)

In a short while FTK Imager finds a result. In this case, the search hit belongs to a file named IMG00264_20100109-1450.jpg. This JPEG file has more information, for instance; each MFT record has a record header, FILE0, also known as magic marker. Carefully consider the options as this magic marker is some lines above the search hit.


Figure 3. Creation time (FTK)

At byte offset 80 after the magic marker, shows the file creation time, which is 8 bytes in length. In order to find byte offset 80, press CTRL + G (from current position).

Figure 4. Byte Offset (FTK)

At byte offset 80 after the magic marker, select 8 bytes and the Hex Value Interpreter shows the creation time of the file is 14-12-2012 10:42:42 UTC.


The next 8 bytes show the file alternation time (UTC)

Figure 5. Alternation time (FTK)


The next 8 bytes show the MFT change time (UTC)

Figure 6. MFT change time (FTK)


The next 8 bytes show the File Read Time (UTC)

Figure 7. File Read Time (FTK)

Recover this picture for further analysis.


One of the MFT attributes is the $DATA section. It starts with code 0 x 80 00 00 00.
Go back to the magic marker FILE0 and use CTRL + F and do a Binary(hex) search for 80000000. This will point directly to to the $DATA section of the specific MFT record.

Figure 8. $DATA section (FTK)

Notice the length of the $DATA section is 0 x 48 00 00 00.

The 4 bytes behind 0 x 80 00 00 00 shows the length of the $DATA section. In this case it is 0 x 48 00 00 00. The Hex Value Interpreter converts this to 72 decimal.

Figure 9. Hex Value Interpreter (FTK)


The code right next to 0 x 48 00 00 00 is 0 x 01 00.

01 00 means existing file
00 00 means deleted file
03 00 means existing folder
04 00 means deleted folder

The picture to be recovered has not been deleted from the hard drive. Information about the actual location of the picture on the hard drive is available in data runs, which start at byte offset 32 of the $DATA section.

Figure 10. $DATA section (FTK)

In this case, byte offset 32 of the $DATA section is 0 x 40. The Hex Value Interpreter converts this to 64 decimal.

Figure 11. Hex Value Interpreter (FTK)

Now, go to byte offset 64 from the beginning of the $DATA section where you will find the data run with information about the first cluster of the picture data. At many times the data run starts with 0 x 31 and ends with 0 x 0, but this is not always the case. In this case, the data run starts with 0 x 31.

Figure 12. Data run information (FTK)

The code next to 0 x 31 (in this case 0 x 5E) shows the amount of clusters belonging to the picture data.

Figure 13. Clusters (FTK)

The Hex Value Interpreter converts this to 94 decimal, which means the data of the picture fills 94 clusters.

The next 3 bytes (0 x AB A4 7B) show the number of the cluster. The Hex Value Interpreter converts this to 8103083 decimal.

Figure 14. Hex Value Interpreter (FTK)

Click on the Volume name in the Evidence Tree Pane and the Properties tab (next to the Hex Value Interpreter) show the size of one cluster is 4096 bytes.

Figure 15. Properties tab (FTK)

Some simple math

94 x 4096 = 385024
Now you know:
The starting cluster is 8103083
The size of the photo is 385024 bytes.

Click the Volume name in the Evidence Tree Pane and right click the Viewer Pane.
Select “go to sector / cluster” and enter cluster number 8103083.

Figure 16. Cluster (FTK)

Figure 17. JPEG file header (FTK)

The file header of a JPEG file (ÿØÿà..JFIF) appears in the Viewer Pane.
Right click the Viewer Pane and enter 385024 in “Set Selection Length…”

Figure 18. Set Selection Length (FTK)

Right click the selected data and use “Save Selection …” in order to save the picture data as a file.

Figure 19. The Result

NTFS Forensics: A Programmers View of Raw Filesystem Data Extraction
Jason Medeiros, Grayscale Research 2008

Computer and Information Security Handbook
John R. Vacca, Elsevier 2013


NTFS uses the Master File Table (MFT) as a database to keep track of files. We can use FTK Imager to analyze the MFT and find interesting file artifacts and metadata.


About the author———————————————————————————————-

m20Mark Stam is a digital forensics investigator who works at the National Police in The Netherlands. He specializes in Social Network Analysis and has given several presentations including at Data Expert’s Digital Experience 2011 and 2013 in The Netherlands. Mark maintains a weblog at A more complete profile can be accessed over at




September 5, 2014
© HAKIN9 MEDIA SP. Z O.O. SP. K. 2013