Home
NTFS creates directories from records in the $MFT file. Each MFT recor5d has a maximum length of 0x400 bytes (1024) and is always stored in two consequative sectors.
The first sector always starts with FILE followed by a '0' or '*' depending on version of operating system
A very common location for the start of the $MFT file is 0x60003F
When an MFT sector is viewed in CnW Receovery software, the sector is parsed, and a tool tip will display values for each type of field with the complete record
Sector 0x60003F
000000 46 49 4C 45 30 00 03 00 - F3 D4 36 9D 03 00 00 00 FILE0 � 6�
000010 01 00 01 00 38 00 01 00 - F8 01 00 00 00 04 00 00 � � 8 � � �
000020 00 00 00 00 00 00 00 00 - 06 00 00 00 00 00 00 00 �
000030 93 04 00 00 00 00 00 00 - 10 00 00 00 60 00 00 00 “� � `
000040 00 00 18 00 00 00 00 00 - 48 00 00 00 18 00 00 00 � H �
000050 40 39 E3 BE 35 B2 C6 01 - 40 39 E3 BE 35 B2 C6 01 @95�@95�
000060 40 39 E3 BE 35 B2 C6 01 - 40 39 E3 BE 35 B2 C6 01 @95�@95�
000070 06 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00 �
000080 00 00 00 00 00 01 00 00 - 00 00 00 00 00 00 00 00 �
000090 00 00 00 00 00 00 00 00 - 30 00 00 00 68 00 00 00 0 h
0000A0 00 00 18 00 00 00 03 00 - 4A 00 00 00 18 00 01 00 � � J � �
0000B0 05 00 00 00 00 00 05 00 - 40 39 E3 BE 35 B2 C6 01 � � @95�
0000C0 40 39 E3 BE 35 B2 C6 01 - 40 39 E3 BE 35 B2 C6 01 @95�@95�
0000D0 40 39 E3 BE 35 B2 C6 01 - 00 80 38 2A 00 00 00 00 @95� 8*
0000E0 00 80 38 2A 00 00 00 00 - 06 00 00 00 00 00 00 00 8* �
0000F0 04 03 24 00 4D 00 46 00 - 54 00 00 00 00 00 00 00 ��$ M F T
000100 80 00 00 00 50 00 00 00 - 01 00 40 00 00 00 01 00 P � @ �
000110 00 00 00 00 00 00 00 00 - 87 A3 02 00 00 00 00 00 �
000120 40 00 00 00 00 00 00 00 - 00 80 38 2A 00 00 00 00 @ 8*
000130 00 80 38 2A 00 00 00 00 - 00 80 38 2A 00 00 00 00 8* 8*
000140 33 24 D5 01 00 00 0C 43 - 64 CE 00 CB 11 F7 02 00 3$� Cd ��
000150 B0 00 00 00 A0 00 00 00 - 01 00 40 00 00 00 05 00 � @ �
000160 00 00 00 00 00 00 00 00 - 15 00 00 00 00 00 00 00 �
000170 40 00 00 00 00 00 00 00 - 00 60 01 00 00 00 00 00 @ `�
000180 C8 51 01 00 00 00 00 00 - C8 51 01 00 00 00 00 00 Q� Q�
000190 31 01 FF FF 0B 31 01 A4 - 5E 70 31 05 40 82 E5 41 1� 1�^p1�@A
0001A0 01 D8 F4 F0 00 31 01 D5 - 44 03 41 01 A9 C4 7E FF � 1�D�A�~
0001B0 31 01 69 79 7A 41 01 60 - 63 85 00 31 01 25 4E 01 1�iyzA�`c 1�%N�
0001C0 31 01 A6 62 01 31 01 20 - 7F 01 41 01 EA 54 77 FF 1�b�1� �A�Tw
0001D0 31 01 95 32 04 31 01 A6 - EE 7A 31 01 1C 00 03 31 1�2�1�z1�� �1
0001E0 01 84 47 10 31 01 DD E2 - 0F 31 01 31 AF 0A 00 00 �G�1��1�1
0001F0 FF FF FF FF 00 00 00 00 - FF FF FF FF 00 00 93 04 “�
Next sector, 0x600040
0001A0 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
0001B0 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
0001C0 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
0001D0 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
0001E0 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
0001F0 00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 93 04 “�
To help recognise an MFT sector it should be noted that the last two bytes of each sector will always be the same. These bytes are set with a 'random' value that is then modified later. It ensures that both sectors have been read fully. In the example above, one can note that the final two bytes are 93 04 and these values are also set in bytes 0x30-0x31 to show the value that should be read
With CnW software, when the sector is viewed with View Sector, as the cursor is moved over each field in the MFT record, it will be decoded and displayed as a tool tip. Most useful values can be the date fields and size fields that are not always obvious, or easy to decode.
