MFT
Overview
Section titled “Overview”Evidence: MFT
Description: Dump raw contents of $MFT
Category: DiskFilesystem
Platform: windows
Short Name: mft
Is Parsed: No
Sent to Investigation Hub: Yes
Collect File(s): Yes
Background
Section titled “Background”The Master File Table ($MFT) is the core metadata file for NTFS volumes. This evidence type collects the raw binary $MFT file itself (as opposed to the parsed CSV version). The raw MFT file can be analyzed with specialized tools to extract more detailed information than the CSV export, including deleted file entries, file slack space, and advanced NTFS features.
Data Collected
Section titled “Data Collected”This collector gathers structured data about mft.
Collection Method
Section titled “Collection Method”This collector uses kernel driver NTFS raw access to read $MFT from each fixed NTFS drive. The raw MFT file is collected byte-for-byte.
Forensic Value
Section titled “Forensic Value”Raw MFT files enable advanced NTFS forensics beyond CSV parsing. Investigators use this data for deleted file recovery from unallocated MFT entries, advanced timeline analysis, file slack analysis, NTFS attribute analysis, and deep forensic examination with specialized MFT parsers.