MFT as CSV
Overview
Section titled “Overview”Evidence: MFT as CSV
Description: Dump MFT entries in CSV format
Group: DiskFilesystem
Sub Group: Disk & File System
Platform: windows
Short Name: mftcsv
Is Parsed: Yes
Sent to Investigation Hub: No
Collect Raw File(s): No
Collect as CSV File: Yes
Background
Section titled “Background”The Master File Table (MFT) is a critical component of the NTFS file system that maintains a record of every file and directory on an NTFS volume. Each file or directory on an NTFS volume has at least one entry in the MFT, which contains metadata about the file including timestamps, attributes, size, and location information. The MFT is located at a specific location on the NTFS volume (typically at the beginning) and acts as the central directory for the entire file system. Windows uses the MFT to quickly locate files and their attributes without having to traverse the entire disk.
Data Collected
Section titled “Data Collected”This collector gathers structured data about mft as csv.
Collection Method
Section titled “Collection Method”This collector parses MFT entries directly from NTFS volumes by reading the $MFT file on each fixed NTFS drive. The data is exported to CSV format for easy analysis.
Forensic Value
Section titled “Forensic Value”This evidence is crucial for forensic investigations as it provides a complete timeline and inventory of all files that have existed on the system. The MFT preserves information about deleted files and can reveal file system activity that isn’t visible through normal file browsing. Analysts can use this information to reconstruct user actions, identify deleted files, detect data exfiltration, and establish comprehensive timelines of file activity.