In course 9, we're covering the NTFS file system. And in this module, module 3, we're going to be talking about the master file table. The master file table is considered the heart of the NTFS file system. It stores information needed by the system to retrieve files and folders. Every file and every directory will have at least one entry in the master file table, and this includes the master file table itself. Files can have more than one entry. Each file entry tracks the allocation status of the file. Is it allocated in use or unallocated, considered able to be filled by the file system? It will show the file dates and times, it'll show the file names, and it will show the location of the content. And that content will either be resident in the master file table itself, or somewhere out on the drive. And our file dates and times those would be things like created, access, modified, and record change time. Record change means there's a change to the master file table record itself. Now the master file table is a collection of individual file records. Every file is going to have a record in the master file table. These records are sequentially numbered, starting with zero. And we talked about that a little bit in our last module, how the first 26 records were those system files. The record length is usually 1024 bytes. New records are created on a first available basis. If a record is marked as not being in use, unallocated, it will be reused, so they do get overwritten fairly quickly. Now the file record itself has a header, and it begins with the asking word file. And the file header contains information about the file, it's called the file record header and it contains information about that specific file record. The file record itself is made up of things we call attribute. Each of these attributes contains certain type of information about the file record, and we're going to see that when we look at them. And each record ends with a footer of hexadecimal FF FF FF, and that's how we know we're at the end of the file record. This is an example of what a master file table file record will look like in our hex editor. We can see right at the top, we have that word file, an offset key to the right. We will always see that, and that starts at offset zero of the file record. Then we can see we have down at offset 10 for a value of 2 bites, this is the sequence number. The sequence number tells us how many times the file records has been used and it increments. In other words, it goes up one every time the file is deleted. So it increments on deletion, not allocation. And then we have our allocation status flag outlined here off in orange, and we can see it is 01 00, and that would be red little Indian. All these values are read little Indian, and that would be 0001, and that tells us it's been used one time. So this is the first time that this file record has been used. Next we see our attributes, we can see that the first attribute highlighted in pink starts with a hexadecimal 10. This is called a standard information attribute, and we're going to learn how we read read this. We go down, and we see our next attribute highlighted in green starts with a hexadecimal 30. This would be a file name attribute, so this will tell us the name of the file. Then our next attribute, highlighted in yellow, starts with a hexadecimal 80. This is a data attribute, and this is going to either contain the data for the file, or it'll tell us where the data is located out on the disk. Our next attribute, down at the bottom highlighted in purple, starts with a hexadecimal B0, and that is a bit map attribute. And then we can see the end of file marker highlighted in gray as FF FF FF FF. So this is what our master file table record will look like, we view it in our hex editor. Now these are some of the values we're going to find in our file record header, beginning at offset 00. We're going to see that signature, that asking word file. If there was a problem with it, we would see the word BAAD, which means it's bad, it's corrupt in some way. But normally, you'll see the word file. We're also going to see, highlighted in blue here, an offset 10. The sequence count which we looked at, and that is a count of times the record has been deleted. Remember increments on deletion, and then down at offset 16, highlighted in green on our chart, we're going to see the allocation status fla gs. If we see an allocation status flag at offset 16 of 00, that indicates the deleted file. If we see a hexadecimal value of 01, that indicates an allocated file. If we see hexadecimal value of 02, that indicates a deleted directory. And hexadecimal 03 would indicate in allocated directory. As you can see there is a lot of information in the file record header, the ones that are highlighted here in the chart are the ones that we are going to talk about throughout this course. The file record attributes, the attributes are the things that make up the file record. And we saw that attribute that started with the hexadecimal 10, and I told you that was a standard information attribute. And that's going to contain our file permissions, it's going to contain all our date and time stamps created, accessed, modified and record changed. And this will always be a resident attribute. What that means is the information in this attribute will always be contained within the master file table itself. This data will not be somewhere out on the drive, it will be in the master file table. We looked at the attribute that began with the hexadecimal 30, and I said that was the file name attribute. And this is going to contain the name of the file, it will also have dates and times in it. But those dates and times relate to the file name, not the file. If you were to rename the file, there would be a change in the dates and times in the file name attribute. And this again is always resident, meaning it will always be located within the master file table. And then we talked about the attribute hexadecimal 80. This is going to be our data attribute, and it's either going to contain the actual file data right there in the master file table, if it's a small file. Or it will have pointers to the files data, where we can find the data within the file system. We're going to take a look at a master file table entry for this walkthrough? We're going to need active disk editor in our NTFS VHD. The first thing we need to do on our walk through is attach RVHD. So we're going to go to disk management, We're going to go to actions attach VHD. We're going to browse to the location where our VHD is saved, and we're looking for the NTFS VHD, mine is on my desktop. We're going to select it and click Open, and once we do that we're going to hit Okay, and the virtual drive will mount. Once we've done that, note the drive number, the disk number and the volume we're going to be looking at is the second NTFS. The first NTFS volume on the drive, our first volume is Fat 32. The next volume in will be NTFS, 200 megabytes in size, that's the volume. Make note of the letter minus B, yours may be different. Next we're going to go ahead and launch active disk editor. Once it launches, we're going to select open disk. In the bar up top, we're going to select volumes because we're going to be looking at a volume. We're going to select NTFS volume, and my drive letter was B, yours may have been different, And we're going to click Open. Now when it opens up it immediately takes us to the volume boot record, which we talked about in the last module. But what I want you to do is at the top here, just under the edit you're going to see browse file records, select that. And we do that, we can see a list of the file records that are on the volume. And we see we have MFT, MFT mirror, do you pit map bad cloths? These are all our system files here in red, we're going to select resident.txt. This is a user created file, all the red ones are those metadata system files we talked about at the beginning of this course. So we select resident.txt, and now we're taking a look at the file record for that particular file. We can see it starts with the ask file in the header, you can see the sequence number is 02. It does have a link count, and we can see that the flags are 01. And if we go ahead to the left hand pain and expand flags, it tells us that it is in use and it's not a directory. So this would mean it's an allocated file, so 01 is an allocated file, and its sequence number is two. As we looked down, we start to see the attributes. The first attribute hexadecimal 10 00 00 00, This tells us the type of attribute. This is extended information attribute, this is the attribute that's going to have all our file times in it, created, access, and modified. Even the attributes themselves do have headers, this is the attribute header. It'll tell you the attribute type, the length of the attribute including the header. It'll tell you the length of just the attribute without the header. It will tell you the offset to the data from the beginning of the attribute header. And we could see it says 18, so we'd go down one line over eight, which would take us right to here. And this is the attribute itself, and inside the attribute is where we're going to find our dates and times. This is our file created time, and again, this is translated as a windows file time. We can see the date is august 15th 2020. We can see our file modified time, our record change time, and our last asks us time. For this particular file, these are all the same, we see file permissions, and these again are going to be flags. So we look at our file permissions over on the left hand side, we can expand that, we can see our flags that are set. You can see there are quite a few flags and NTFS, we have a lot of file permissions, and we have our archive and a security ID. We also have this is a security ID here, 237. 273, sorry, 273 B0 security, and our file permissions we can see our security ID. And our file permissions tell us it is a archive file, so that it would be the information we would get from the standard information attribute. Our file times, our attribute, in this case it was archive and our security ID. Moving down to the next attribute, attribute 30, accessible 30, this is our file name attribute. This will be the file name attribute, and this is going to contain the name of the file. It will also contain times, these times are relevant to the file name only, not the actual contents of the file. And again, the header, the attribute header is going to tell us the same information. We're going to have the type of attribute, you're going to have the length of the attribute, including the header in the length and not including the header. And then you will have the offset to the attribute, the offset to the content, which again is almost always going to be 18. So down one line, and over 12345678 takes us right to the content of the attribute. This does tell us where the parent directory of this file is, what record number the parent directory of this file is and it would be MFT record number five is the parent of this particular file. Again, we have created, modified, record changed last access. These dates and times, like I said, are relevant to the file name. We change the file name, we'll see a change in these dates and times, and then we actually have the file name itself. And we can see the file name is resident.txt, this is the resident file. This is an example of a file whose data is contained within the master file table. If the data was somewhere else, and the file is too big to fit in the master file table, we would see something called a run list. And we're going to talk about run list in the next module. If we scroll down, we can see the data. This is a file, that is resident, and this is the first user created file, and the first time this record has been used. But we know it's not because we saw 02, which indicates that the record has been used has been deleted and reused, and that would be a look at a MFT file record. And again, we have the header, the record header and then the attributes that make up the file. There is one more attribute in here, it's an attribute accessible 40. This would be an object ID, and an object identifier is just going to tell you a unique grid a global unique identifier. A grid for this particular file, and that's the grid right here. This grid uniquely identifies this particular file, and those attributes are hexadecimal 40. And if you see those, you will have a globally unique identifier for that particular file, which may be useful if you are searching for the file across the volume. Just wanted to point that out, that is not one of the attributes that we're concentrating on, b ut it is a good attribute to know about. This is the master file table file record, and that was the record for that one file. And in this particular case it's a small file and the data is resident, meaning within the master file table record itself. In our next module, we're going to talk about data runs. And how we interpret them and locate the data out on the disk when it's not a resident file.
