# Master File Table (MFT) ## Overview * Each Each NTFS volume will contain its own MFT (named $MFT stored within the volume root) * NTFS metadata files such as the $MFT are not accessible via Windows Explorer or other standard application programming interface (API) file-access methods. * Each entries is 1,024 byte * The first 16 MFT entries are reserved for essential NTFS artifacts ## Important elements of an entry * Record type - Specifies whether a given entry represents a file or directory. * Record # - An integer used to identify a given MFT entry. Record numbers grow sequentially as new entries are added. * Parent record # - The record number of the parent directory. Each MFT entry only tracks the record number of its immediate parent, rather than its full path on disk. * Active/Inactive flag - MFT entries for deleted files or directories are marked “Inactive.” NTFS will automatically reclaim and replace inactive entries with new active entries to keep the MFT from growing indefinitely. * Attributes - Each MFT entry contains a number of “attributes” that contain metadata about a file—everything from timestamps to the physical location of the file’s contents on disk. Important Attributes included the following: * $STANDARD\_INFORMATION * $FILENAME * $DATA. ![](/files/-MFOy0NTNT0JD06Fvbgi) ## MFT * Collect the MFT and analyze the file timestamps ![](/files/-Mey1Z79RvEC69lnM3KN) * Use MFT2CSV to convert MFT file into .csv file * Choose the MFT file to be converted * Select the appropriate time zone * Set the output path * Click start processing to proceed the conversion process ![](/files/-Mey1dfrYyxhr6dEd7_V) * Open the converted file using text editor or Excel ![](/files/-Mey1kzmFI7rRcUp0_mR) {% embed url="" %} ## $USNJRNL * Choose the $J file of $USNJRNL file to be converted * Select the appropriate time zone * Select process output options * Click start processing to proceed the conversion process ![](/files/-Mey1uJHrmQ3O0EJvXGd) * Open Excel and then select Get Data through import ![](/files/-Mey1yU88XG1vlD09LZs) ![](/files/-Mey2G0V2_ItKtoj9p6q) ## $LogFiles * Choose the $LogFile and the previous processed MFT.csv file * Select the appropriate time zone * Click start processing to proceed the conversion process ![](/files/-Mey2OgAGXC6yOXG5n0W) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://wongkenny240.gitbook.io/computerforensics/incident-response-artifacts/master-file-table-mft.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.