The article is an in-depth forensics guide on how to analyze the NTFS (New Technology File System) in Windows using forensic tools. It explores disk structure, file recovery, and forensic analysis techniques to detect changes in the file system, such as deleted, modified, or renamed files.

NTFS File System Components

MFT (Master File Table): Stores metadata of all files/directories.

MFT Mirror: A backup of MFT for data integrity.

Log File: Tracks changes in the file system.

Bitmap File: Monitors cluster allocations.

Boot Sector: Helps locate the OS.

Bad Cluster File: Detects bad sectors that may be hiding data.

USN Journal: Logs file changes (creation, deletion, modifications).

Understanding File System Structures & Metadata

If you’re getting into digital forensics, understanding NTFS (New Technology File System) is crucial. It’s the default file system for Windows and contains a wealth of forensic artifacts that investigators use to track file system activity, recover deleted files, and analyze data manipulation.

NTFS Structure: The Building Blocks

Think of NTFS as a giant library, where every file and folder is a book and the system keeps detailed records of their contents, locations, and changes.

🔹 Key NTFS Components:

Component Purpose Importance in Forensics
Master File Table (MFT) Stores metadata for every file & directoryEssential for tracking file history & recovery
MFT Mirror Backup of MFTHelps in data integrity checks
Log File ($LogFile) Records file system changesUseful for timeline analysis
Bitmap File ($Bitmap) Tracks used & free space on diskHelps locate deleted data
Boot Sector ($Boot) Contains startup infoIdentifies system partitions
Bad Cluster File ($BadClus) Marks damaged disk sectorsCould be used to hide data
USN Journal ($J) Logs file changesKey for tracking edits, deletions, renames
Index Allocation Table ($I30) Stores directory contentsUseful for tracking moved/deleted files

💡 Fun Fact: The MFT is like a table of contents for your hard drive—it holds information about every file, even if it’s deleted!

Understanding the Master File Table (MFT)

  • The MFT is a crucial component in NTFS, storing metadata for every file and directory.
  • Forensic analysts use the MFT to track deleted files, recover lost data, and analyze timestamps (created, modified, last accessed).
  • The MFT is part of the Partition Boot Sector (PBS), essential for locating the operating system at boot time.

MFT Mirror & Log File

The Log File (Journal) keeps a history of file system changes, helping to reconstruct events in forensic investigations.

The MFT Mirror is a backup of the original MFT and is used for integrity verification.

If the main MFT is corrupted, forensic analysts use the mirror to restore data.

User Journal (USN Journal) & File System Change Tracking

Investigators use command-line tools to parse these records and generate forensic timelines.

The USN Journal records changes made to files and directories, making it useful for forensic analysts.

The two key files in the USN Journal are:

Max File – Designates the maximum journal size.

J File – Contains actual forensic data, detailing changes in files, directories, and attributes.

NTFS Forensics

Forensic analysts use specialized tools like FTK Imager, Autopsy, and Sleuth Kit to extract and analyze NTFS artifacts.

What Can Be Investigated?
✔️ Deleted Files Recovery: Even after deletion, files may still exist in slack space or MFT records.
✔️ File Modification History: The USN Journal logs changes made to files.
✔️ Tracking Unauthorized Access: By analyzing file timestamps (creation, modification, last access).
✔️ Hidden Data Detection: Attackers may use ADS (Alternate Data Streams) to store secret data inside files.

NTFS Timestamps: The Digital Fingerprints

Every file in NTFS has four main timestamps:

MACB Timestamps: (Modification, Access, Creation, Birth)

  • M (Modified) – Last time the file’s content changed.
  • A (Accessed) – Last time the file was opened.
  • C (Changed) – Last time the metadata (e.g., permissions) was modified.
  • B (Birth) – Original file creation time.

💡 Cool Trick: Even if an attacker modifies or deletes a file, the timestamps in NTFS can reveal when and how it happened!

Analyzing NTFS with FTK Imager

🔹 Step 1: Mount the Disk Image (Using tools like FTK Imager)
🔹 Step 2: Extract Key NTFS Files (MFT, LogFile, USN Journal)
🔹 Step 3: Analyze File Changes (Using Timeline Explorer)
🔹 Step 4: Recover Deleted Files (Using Slack Space & Unallocated Space)
🔹 Step 5: Report Findings (Documenting changes, deletions, and hidden files)

What is an Alternate Data Stream (ADS)?

🔹 Normally, when you save a file in NTFS, it has a default data stream (the main content).
🔹 But NTFS allows additional “hidden” streams to be attached to the same file without affecting its size.
🔹 This is called an Alternate Data Stream (ADS).

Think of it like: A book with invisible pages—the main text is normal, but hidden pages contain secret notes!

Using Forensic Tools for Investigation

MFT Parser & Timeline Explorer to view detailed file history.

Filtering techniques to identify renamed, deleted, or modified files.

Tracking deleted files & using slack space for data recovery.

Examining index allocation table to analyze directory structures.

Data Recovery Techniques

Using FTK Imager to recover deleted files.

Exporting unallocated space for deeper forensic analysis.

Mention of Scalpel for data carving and recovering lost files.

Recovering Deleted Files & Examining Slack Space

  • Deleted files are often recoverable if they are still referenced in the file system.
  • Forensic tools analyze the Slack Space, which may contain remnants of deleted or moved files.
  • NTFS maintains metadata even after file deletion, allowing recovery if the MFT is intact.

Analysts use tools to extract and analyze NTFS components like:

  • Index Allocation Table (I30 file) – Tracks file locations and movements.
  • Master File Table Export – Helps recover lost metadata for deleted files.

Investigators identify files marked as deleted, moved, or renamed and attempt restoration.

Examining Unallocated Space for Hidden Data

  • Unallocated Space may contain deleted files that forensic tools can carve out.
  • Tools like Scalpel are used for deep analysis of unallocated storage areas.
  • Investigators export the unallocated space as a separate image file for further examination.

💡 Interesting Facts & Insights:

  • The MFT is crucial for forensic investigations—if it’s corrupted, file recovery becomes nearly impossible.
  • Even deleted files leave traces in the slack space, USN journal, and index allocation table.
  • ADS (Alternate Data Streams) can be used to hide malicious data inside files.
  • Network sniffers like Wireshark can be detected in NTFS analysis.
  • Attackers use anti-forensic tools like Disk Wiper to erase their traces.

TryHackMe NTFS Analysis | Room Answers

Which feature does NTFS use to keep track of the changes within the file system?

journaling

Double-click on the $UsnJrnl file in the $Extend folder; what is the first evidence file you find?

$J

Which column indicates that the file is no longer present on the disk?

In Use

Examine the MFT record; what is the network sniffer installed on this system in the \Program Files\ directory?

wireshark

An anti-forensics tool responsible for wiping out an attacker’s traces was installed in the \Downloads\Tools folder. What is the name of the tool?

DiskWipe.exe


According to the MFT record, is the anti-forensics tool currently present on the disk? (yay or nay)

nay

Examining the MFT record, it seems there is a record of a flag.txt file. What is the parent path of the file?

.\tmp\secret_directory

What is the content of the flag.txt file?

WelDone_You_F0und_M3

What is the file name associated with the MFT entry number “584574”?

SharpHound.ps1

What is the text file name associated with entry number 95071 before renaming it?

New Text Document.txt

According to the record, what is the first operation performed on the file in the question above?

FileCreate

According to the record in $J, what is the count of the rename operation found against secret_code.txt?
2

According to the record, when was the secret_code.txt file deleted?

2025-01-15 08:10:04

How many deleted files or folders are present in the $I30 attribute file that was extracted in this task?
52

What is the parent MFT entry of the nmap directory?

512386

Video Walkthrough

, ,
Show Comments

The MasterMinds Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles