Operator On The Wire
Join
← Back to Knowledge Base
BLUE TEAM / DFI / ARTEFACT / WINDOWS / FILE SYSTEM

MFT

Master File Table

MFT Resident Files

(usually small files, under 800 bytes)

  • Every entry is 1024 bytes

  • Entry Number x 0x400 = Address in MFT

python -c "print(hex(int(input())<<10))"

  • Open in HxD and jump to address to carve out contents

  • CTRL + G

ToolStyleBest For
MFTECmdCLIBulk parsing, export, automation
MFT ExplorerGUIManual inspection, deep attribute review

Extract

.\MFTECmd.exe -f $MFT --csv out.csv

.\analyzeMFT.py -f $MFT -o mft.csv

Hunt

  • New .exe in Downloads/AppData/Temp
  • Short-lived files (<5 min lifetime)
  • $SI vs $FN timestamp mismatch

Deletion

  • Entry present, file missing
  • Rapid create → delete pattern

Red Flags

  • Timestomping ($SI != $FN)
  • Extension flip (.txt → .exe)
  • Multiple renames

Correlate

  • Prefetch
  • USN Journal
  • 4688
  • Amcache