What is Master File Table (MFT)? (Explained)

By
Taylor
-
4
56
What is Master File Table (MFT)

What is Master File Table (MFT)?

The Master File Table, or MFT, refers to the location of the contents of a volume that the New Technology File System (NTFS) keeps track of.

In simple words, MFT is a distinct system file. It is chiefly a database at the heart of the NTFS structure.

Technically, MFT signifies the index of the files stored on a hard drive on an NTFS volume, which denotes the list of attributes of the files along with the pointers to the different file fragments. It is a collection of records.

KEY TAKEAWAYS

  • A Master File Table is a special type of database containing at least one record of the information about each of the files and directories stored on an NTFS logical volume.
  • The information or attributes of the files and directories stored in the MFT tell the operating system how it should handle the directory of the file related to that particular record.
  • The MFT is usually found at the beginning of the volume as an index that contains different attributes of a file and all active or live data stored on the disk. It is for this reason that it exists in the live sector of the drive.
  • The MFT can be corrupted and there are several reasons for it, from virus attacks to system or application malfunction. However, it is quite easy to fix a corrupted MFT by using the Systems Recovery option.
  • Fragmentation can be a common event in an MFT volume due to the continual use and growth of it. So, it is recommended to defragment the volume by keeping enough free space at the beginning of the MFT zone.

Understanding Master File Table

What is Master File Table (MFT)

The Master File Table is actually a file, but is a special type of system file which is at the core of the Microsoft Windows NTFS.

You can call it a database, being a collection of records that consist of all the information related to the files as well as the subdirectories that are stored within the NTFS partition or logical volume.

In this list, at least one attribute of every file and subdirectory stored on the NTFS logical partition is recorded.

Each of these records is 1024 bytes long and contains information that tells the file system how exactly it should handle a file or directory related to that specific record.

Sometimes, an MFT may also contain the data of the actual file apart from all of the system data related to that file.

This makes it pretty unique. The data contained in an MFT is referred to as resident data, which, if leaked, may cause potential security issues for the computer system.

Another interesting fact about MFT is that there is no file slack linked with the file whose data is held inside it.

The main reason behind this is that, by definition, this is the specific area from the termination point of the file to the end of the last cluster related to the file. The data, in this case, exists in the MFT file and not in the cluster.

However, there still can be MFT slack, but it is completely different in nature.

It occurs when all of the 1024 bytes of the MFT entry are not utilized. In this case, there may be some information about the preceding files contained in the records. This is called the MFT slack.

It is very important to know about the existence of MFT slack for the computer security experts and investigators.

This is because when a computer forensics utility captures file slack, it will not capture MFT slack.

The MFT grows and is used continually because every time you add new files to the NTFS volume, these are recorded on the MFT, and when you delete them, the MFT entries are reused.

However, this does not mean that the space assigned for these entries is reassigned or that the size of the MFT is reduced.

Read Also:  Why is an SSD Necessary in a Gaming PC?

This is because, characteristically, NTFS sets aside space for the MFT, called the MFT Zone Space, so that it is made as contiguous as possible while it grows.

MFT Volume Defragmentation

No matter what, fragmentation of MFT cannot be avoided in any case. It happens when the MFT zone of the hard disk, whether reserved or unreserved, is allocated completely for the user files and directories.

And the space for the fresh MFT entries will be assigned from the unreserved space when the MFT zone is exhausted.

Therefore, it is important to defragment the MFT volume.

The best way is to keep as much space as possible reserved at the start of the MFT zone before defragmenting it.

This will reduce the chances of the MFT zone being fully assigned before the defragmentation process is complete.

Apart from that, you must also keep some space free outside of the MFT zone.

This will be useful if the MFT zone is allocated fully before the completion of the defragmentation process.

MFT Corruption

The MFT can be corrupted sometimes, which will leave the files contained in the NTFS inaccessible, and display error messages such as ‘The parameter is incorrect’ or ‘The file or directory is corrupted and unreadable,’ when you try to access the hard drive.

Some of the common reasons for the MFT to get corrupted are:

  • Sudden system malfunction or crash
  • Blue Screen of Death
  • Virus attack
  • Malware damage
  • Application malfunction
  • A lot of bad sectors existing on the drive
  • Inappropriate removal of external disks

There is nothing to worry about with such a corrupted disk because it can be easily fixed, as is explained in the later section of the article.

Master File Table Contents

The Master File Table contains records of information about the files and directories stored on the New Technology File System in a logical volume.

Ideally, the MFT contains the location of the files in the directory, their respective physical locations on the drive, along with the metadata of the file.

Typically, the different attributes of the files and directories stored in the metadata include the following:

  • The type of the file
  • The logical and physical size of the file
  • The date and time of creating the file
  • The date and time of any recent modification made to the file
  • The access dates
  • The dates when it was last written
  • The Access Control Lists (ACLs) of the files
  • The security access or permissions for the file
  • The author of the file

Sometimes, these records may be stored outside the MFT but they are still defined as MFT entries.

All of these contents of a MFT are important to retrieve the files and folders, which is why it is called the heart of the NT File System.

Master File Table Structure

The Master File Table structure sets aside a specific amount of space to keep a record of the attributes of each file stored on the hard disk.

It can contain all the information of a small file or directory measuring 512 bytes or less, including the standard information of the file or directory, the names, data or index, security descriptor and more.

The structure of the MFT allows easier and faster access to the files since it contains an index of the file in the default reserved zone.

This reserved zone is calculated by the system when the volume is mounted depending on its size, called the MFT zone.

This zone can be increased by using the registry entry but it cannot be reduced below what is premeditated by the system.

However, when you increase the MFT zone, it will not reduce the disk space to store data files.

You can find out the current size of the MFT zone by analyzing the file system drive using the Disk Defragmenter and then clicking on the View Report button.

This will display the statistics of the drive including the size as well as the number of fragments.

Alternatively, you can find out the size of the MFT zone by using a specific control code: FSCTL_GET_NTFS_VOLUME_DATA.

Typically, the MFT structure includes the following:

  • STANDARD_INFORMATION
  • FILE_NAME
  • FILE_RECORD_SEGMENT_HEADER
  • ATTRIBUTE_LIST_ENTRY
  • ATTRIBUTE_RECORD_HEADER
  • MFT_SEGMENT_REFERENCE
  • MULTI_SECTOR_HEADER
Read Also:  What is Disk Access Time? Formula, Example & More

Ideally, the first sixteen records are stored in this area of the table, where the first record describes the MFT itself and a MFT mirror record follows it, in which the first record is the same as the first record of the original Master File Table.

This means that, when the first MFT record gets corrupted and is not readable, the NTFS will read the second one to find the mirror file of it.

The boot sector typically holds the positions of the data sectors for both the original MFT as well as the MFT mirror file.

The directory records are stored on the MFT just as the file records are, but they contain index information instead of data.

The MFT structure is however big enough to hold small directory records in it. As for the larger ones, these are typically arranged into B-trees.

They contain the records with pointers to the external clusters that contain the directory entries that do not reside within the MFT structure.

Master File Table Attributes

There may be one or more MFT records in a file, and each may contain one or more attributes. In the New Technology File System, the MFT segment reference is basically the file reference of the base file record.

The detail information of this attribute is available in the MFT_SEGMENT_REFERENCE.

Ideally, the file record segments are contained in an MFT, out of which sixteen are set aside for special files. These can be the following:

  • 0: MFT ($Mft)
  • 5: root directory (\)
  • 6: volume cluster allocation file ($Bitmap)
  • 8: bad-cluster file ($BadClus)

There is a file record segment header at the beginning of every file segment and the information about its attributes is available in FILE_RECORD_SEGMENT_HEADER.

One or more attributes follow the record segment of each file and each of these attributes contains an attribute record header at the beginning. The information about this attribute is available in ATTRIBUTE_RECORD_HEADER, which includes:

  • $DATA
  • $BITMAP
  • The value of the attribute
  • An optional name

The data stream of the user is also an attribute of MFT just like all other streams.

The attribute list is typically concluded with 0xFFFFFFFF ($END).

Here are a few examples of MFT attributes summarized for your easy understanding.

  • The unnamed $DATA attribute in the $Mft file, which represents the sequence in order of the MFT record segments.
  • The unnamed $BITMAP attribute in the $Mft file, which represents which specific MFT records are being used.
  • The unnamed $DATA attribute in the $Bitmap file, which indicates the clusters in use.
  • The $DATA attribute, called $BAD, in the $BadClus file, which holds the entries corresponding to every bad cluster.

Further file record segments are interleaved in the base or file record segment and assigned when there is no more space left to store the attributes in it. This is called the attribute list.

This particular list specifies the locations where each of the attributes related to a particular file is to be found. It also contains all of the attributes in the first file record, excluding the attribute list itself. All the information about it is available in the ATTRIBUTE_LIST_ENTRY.

Master File Table in Forensics

Master File Table forensics include understanding and analyzing the different attributes and characteristic features of the MFT entries.

One important aspect for computer forensics investigators is that an MFT can be expanded but its size cannot be reduced, as said earlier. This is because it helps a lot in identifying the deleted files and in data recovery.

The MFT entry is marked as ready when a file is deleted and it can be reused. This entry typically continues to exist until it is overwritten by a new file.

Ideally, a new file created on the hard drive is overwritten on the next MFT entry available. The MFT starts to increase when there are no new spaces left to overwrite the spare entries.

During MFT forensic analysis, several possibilities are considered, which are created due to the fact that the file data is different from the MFT entry. Some of the possibilities created during deletion and successive use of the hard drive are as follows:

  • The file is deleted but can be fully recovered.
  • The file is deleted and can be partially recovered.
  • The file is deleted and the data is completely overwritten and cannot be recovered.
  • The file is deleted and lost completely but the file data and the MFT entry can be fully recovered.
  • The file is deleted but the file data is not overwritten completely but the MFT is.
Read Also:  What is Disk Platter? (Explained)

Apart from the above, there can be a lot of other permutations or situations where the MFT entry may not be overwritten completely. This will leave MFT file slack.

How to Read a Master File Table?

When you want to view a Master File Table, you will need to first open it and use the right commands.

The FAT will read it to ensure that the table exists and will then retrieve the file you want to read by probing through the series of allocation units that are assigned to that particular file.

In order to view or read the complete list of the MFT contents, you will have to follow these steps:

  • Open a folder with at least one file or a subfolder.
  • Click on View.
  • Select Choose Details.
  • Check or uncheck the boxes on the left column of the pop-up window.

In order to read the file, you will need to follow these steps:

  • Open volume handle: FILE_READ_DATA
  • Use the query: NTFS_VOLUME_DATA_BUFFER along with the control code FSCTL_GET_NTFS_VOLUME_DATA

This will show you different information about a file as follows:

  • The size of one specific MFT record as BytesPerFileRecordSegment
  • The total size of MFT as MftValidDataLength

With these two values, you can find the maximum record count by dividing the MftValidDataLength.QuadPart value by the BytesPerFileRecordSegment value.

You can read a single record in the right way if it is synchronized with NTFS by using FSCTL_GET_NTFS_FILE_RECORD.

If you want to see multiple records at the same time, you can do so by reading them directly from the volume. Here you will have the start MFT and Logical Cluster Number (LCN) as MftStartLcn.

However, the MFT can have a number of non-continuous fragments. Therefore, it is better to use FSCTL_GET_RETRIEVAL_POINTERS if you want to know about the locations of all the fragments.

And if you want to convert LCN to volume offset you will need to multiply it with the BytesPerCluster.

How to Fix a Corrupt Master File Table?

To repair a corrupt Master File Table, you can use the built-in CheckDisk utility program or the FixMbr command.

To use the CHKDSK utility, the steps are:

  • Right-click on the hard drive with the corrupt MFT
  • Select Properties
  • Click on Tools
  • Select Check
  • Choose Scan drive

To use the FixMbr command, the steps to follow are:

  • Enter System Recovery option screen
  • Attach a bootable USB drive to the computer
  • Restart computer pressing F2 or F8 continuously to enter the BIOS setup
  • Go to Startup or Boot column
  • Set the computer to boot from new drive
  • Save the changes
  • Restart the computer
  • Follow the onscreen instructions
  • Select Repair your computer
  • Select Command Prompt
  • Type bootrec.exe command prompt window
  • Press Enter

Where is the Master File Table?

Typically, the Master File Table is found at the beginning of the logical volume.

Since the table contains an index of the live or active data stored on the hard drive, it is also considered to be residing in the live clusters of the hard drive.

What is the Linux Equivalent of the Windows Master File Table?

The closest equivalent in Linux of the Windows Master File Table is the inode or index node. This is a data structure or a Unix-style file system describing the different objects of a file or a directory.

It stores the data block location on the disk and other attributes such as metadata, permission data, and ownership.

Conclusion

So, coming to the end of this article, you now not only know the definition of a Master File Table but also its structure, how to read it, and even how to fix it in case it becomes corrupted.

The article will also be helpful for you in case you want to increase the size of the MFT zone within the drive for your file system.

About Taylor

AvatarTaylor S. Irwin is a freelance technology writer with in-depth knowledge about computers. She has an understanding of hardware and technology gained through over 10 years of experience.

View all posts by Taylor

Related Posts:

4 Comments
Oldest
Newest
Inline Feedbacks
View all comments