Resolving File Paths Using the MFT

In NTFS, the MFT (Master File Table) is a structure that contains a lot of the file-system metadata, and also the contents of small files. It is stored in a special file, called $MFT. In incident response, we often collect and parse this file to determine the file system contents and how it changed over time, without having to acquire a full disk image. There are many bad MFT parsers out there....

July 7, 2022 · 16 min · 3401 words · Harel Segev