Parse MFT sector and see tool tips on the screen

Master File Table analysis and viewing

View attributes from a sector view
With NTFS recovery and analysis, understanding the MFT is extremely important. To assist with this, CnW data recovery software will high light fields when a MFT sector is displayed using view sector. MFT sectors can also be viewed by double clicking on the sector number within the log function. A final way to find an MFT sector is from the NTFS recover options menu. By clicking on the MFT sector box, the first MFT will be displayed.

The function works on all versions of CnW, including the free demo, download now.

Hover with the mouse to decode fields
When the mouse pointer is set over a field, the tool tip will describe the field contents. The example above shows the file modification date within the Standard Attribute header.

An MFT always starts with a header, FILE followed by either * or 0 which is the pointer to the fixup bytes. XP systems always use the value 0x30 (‘0’). All values are little endian

After the header are a series of records which always start with a 4 byte number, and then a 4 byte length. The record types are

● 0x10 Standard Attribute Header
● 0x20 Non resident pointers
● 0x30 File name
● 0x50 Security descriptor
● 0x60 Volume name
● 0x80 Data run pointers and file size
● 0xA0 Index allocation
● 0xB0 Bitmap
● 0xD0 EA information
● 0xE0 EA
● 0xF0 Property Set
● 0x100 Logged utility stream

For the main header, typically the first 0x38 bytes, the following fields are displayed

● MFT header pointer to fix up : 0x30
● Fix up count : 03
● $Logfile sequence number
● Number of times MFT has been reused
● Hard link count
● Real size of MFT record
● Allocated size of MFT record
● MFT value : 0x00 - this is the reference of the MFT in the $MFT file
● Status flag indicating that theMFT is for a file or directory, and if used or deleted
● Fix up value, and it verifies that the value in offset 0x1fe and 0x1ff is correct, or incorrect
● For standard Information, record type 0x10 the following fields are displayed
● Creation date
● File modified date
● MFT changed time
● File read time
● File sttribute, such as Read Only, Compressed, Hidden
● For File name record type 0x30
● Creation date
● File modified date
● MFT changed time
● File read time
● For data run record type 0x80 and 0xA0
● Offset to data runs
● Allocated size of file
● Real size of file
● Initialised size of data stream
● Cluster start of data runs
● Length of first data run in clusters

This list is not complete and will be added to in near future releases, as will decoding of other popular sector types.