Master File Table (MFT) Parser V2.1 - Gary C. Kessler (11 June 2013) Source file samples/MFT_EFS.img (1025 bytes) contains 1 MFT record(s) ==================== MFT RECORD #0 ==================== ********** MFT HEADER ********** 0000-0003 Signature: 0x46-49-4C-45 [FILE] 0004-0005 Offset to fixup array: 0x30-00 [48] 0006-0007 Number of entries in fixup array: 0x03-00 [3] 0008-0015 $LogFile sequence number: 0xD0-F4-38-6E-08-00-00-00 [36,208,964,816] 0016-0017 Sequence value: 0x0A-00 [10] 0018-0019 Link count: 0x01-00 [1] 0020-0021 Offset to first attribute: 0x38-00 [56] 0022-0023 Flags: 0x01-00 -- Record is a file 0024-0027 Logical size of record: 0xD0-01-00-00 [464 bytes] 0028-0031 Physical size of record: 0x00-04-00-00 [1,024 bytes] 0032-0039 File reference to base record: 0x00-00-00-00-00-00-00-00 [0] 0040-0041 Id. of next attribute: 0x09-00 [9] 0042-0043 (Fill): 0x00-00 0044-0047 MFT record number: 0x0E-9A-00-00 [39,438] 0048-0049 Fixup array sequence number: 0x5B-01 [347] 0050-0055 3 fixup array entries: 0x00-00-00-00-00-00 ********** MFT CONTENTS ********** ATTRIBUTE #1 ($STANDARD_INFORMATION) -------------------- HEADER -------------------- 0056-0059 Attribute type: 0x10-00-00-00 [$STANDARD_INFORMATION] 0060-0063 Attribute length: 0x60-00-00-00 [96 bytes] 0064 Non-resident flag: 0x00 [Attribute is resident] 0065 Name length: 0x00 [0 16-bit characters] 0066-0067 Offset to name: 0x00-00 [0 bytes] 0068-0069 Flag: 0x00-00 -- (None) 0070-0071 Attribute identifier: 0x00-00 [0] 0072-0075 Content length: 0x48-00-00-00 [72 bytes] 0076-0077 Content offset: 0x18-00 [24] 0078-0079 (Fill): 0x00-00 -------------------- CONTENTS -------------------- 0080-0087 C-time: 0xB2-7B-F8-2F-8B-ED-CA-01 [Fri May 7 02:15:39 2010 GMT] 0088-0095 M-time: 0x78-97-A0-3C-8B-ED-CA-01 [Fri May 7 02:16:00 2010 GMT] 0096-0103 E-time: 0x50-ED-65-A4-61-3C-CD-01 [Sun May 27 23:37:13 2012 GMT] 0104-0111 A-time: 0xAA-4F-68-A4-61-3C-CD-01 [Sun May 27 23:37:13 2012 GMT] 0112-0115 Flags: 0x20-40-00-00 -- Archive, Encrypted 0116-0119 Max. number of versions: 0x00-00-00-00 [0] 0120-0123 Version number: 0x00-00-00-00 [0] 0124-0127 Class identifier: 0x00-00-00-00 [0] 0128-0131 Owner identifier: 0x00-00-00-00 [0] 0132-0135 Security identifier: 0x8B-01-00-00 [395] 0136-0143 Quota charged: 0x00-00-00-00-00-00-00-00 [0] 0144-0151 Update sequence number: 0x00-00-00-00-00-00-00-00 [0] ATTRIBUTE #2 ($FILE_NAME) -------------------- HEADER -------------------- 0152-0155 Attribute type: 0x30-00-00-00 [$FILE_NAME] 0156-0159 Attribute length: 0x70-00-00-00 [112 bytes] 0160 Non-resident flag: 0x00 [Attribute is resident] 0161 Name length: 0x00 [0 16-bit characters] 0162-0163 Offset to name: 0x00-00 [0 bytes] 0164-0165 Flag: 0x00-00 -- (None) 0166-0167 Attribute identifier: 0x07-00 [7] 0168-0171 Content length: 0x52-00-00-00 [82 bytes] 0172-0173 Content offset: 0x18-00 [24] 0174-0175 (Fill): 0x01-00 -------------------- CONTENTS -------------------- 0176-0181 Parent directory MFT #: 0xA6-3A-00-00-00-00 [15,014] 0182-0183 Parent use/Delete count: 0x0A-00 [10] 0184-0191 C-time: 0xB2-7B-F8-2F-8B-ED-CA-01 [Fri May 7 02:15:39 2010 GMT] 0192-0199 M-time: 0xB2-7B-F8-2F-8B-ED-CA-01 [Fri May 7 02:15:39 2010 GMT] 0200-0207 E-time: 0x66-40-FD-2F-8B-ED-CA-01 [Fri May 7 02:15:39 2010 GMT] 0208-0215 A-time: 0xB2-7B-F8-2F-8B-ED-CA-01 [Fri May 7 02:15:39 2010 GMT] 0216-0223 Allocated file size: 0x00-00-00-00-00-00-00-00 [0 bytes] 0224-0231 Actual file size: 0x00-00-00-00-00-00-00-00 [0 bytes] 0232-0235 Flags: 0x20-40-00-00 -- Archive, Encrypted 0236-0239 Reparse value: 0x00-00-00-00 [0] 0240 Length of file name: 0x08 [8 characters] 0241 Namespace: 0x03 [3] (Win32/DOS) -------- File name -------- 0242: 74 00 79 00 75 00 69 00 2E 00 74 00 78 00 74 00 t.y.u.i...t.x.t. tyui.txt ---- Remaining bytes in attribute contents ---- 0258: 00 00 00 00 00 00 ...... ATTRIBUTE #3 ($VOLUME_VERSION/$OBJECT_ID) -------------------- HEADER -------------------- 0264-0267 Attribute type: 0x40-00-00-00 [$VOLUME_VERSION/$OBJECT_ID] 0268-0271 Attribute length: 0x28-00-00-00 [40 bytes] 0272 Non-resident flag: 0x00 [Attribute is resident] 0273 Name length: 0x00 [0 16-bit characters] 0274-0275 Offset to name: 0x00-00 [0 bytes] 0276-0277 Flag: 0x00-00 -- (None) 0278-0279 Attribute identifier: 0x08-00 [8] 0280-0283 Content length: 0x10-00-00-00 [16 bytes] 0284-0285 Content offset: 0x18-00 [24] 0286-0287 (Fill): 0x00-00 -------------------- CONTENTS -------------------- 0288-0303 GUID Object Identifier: 0xC5-CA-D4-23-2C-53-DF-11-BD-D6-00-0C-29-EB-73-CB ATTRIBUTE #4 ($DATA) -------------------- HEADER -------------------- 0304-0307 Attribute type: 0x80-00-00-00 [$DATA] 0308-0311 Attribute length: 0x48-00-00-00 [72 bytes] 0312 Non-resident flag: 0x01 [Attribute is non-resident] 0313 Name length: 0x00 [0 16-bit characters] 0314-0315 Offset to name: 0x00-00 [0 bytes] 0316-0317 Flag: 0x00-40 -- Encrypted 0318-0319 Attribute identifier: 0x04-00 [4] 0320-0327 Runlist starting VCN: 0x00-00-00-00-00-00-00-00 [0] 0328-0335 Runlist ending VCN: 0x00-00-00-00-00-00-00-00 [0] 0336-0337 Offset to runlist: 0x40-00 [64 bytes] 0338-0339 Compression unit size: 0x00-00 [no compression] 0340-0343 Unused: 0x00-00-00-00 0344-0351 Allocated attribute content size: 0x00-10-00-00-00-00-00-00 [4,096 bytes] 0352-0359 Actual attribute content size: 0x04-00-00-00-00-00-00-00 [4 bytes] 0360-0367 Initialized attribute content size: 0x04-00-00-00-00-00-00-00 [4 bytes] 0368-0372 Run list #1: 0x31-01-5A-02-02 Run length (1-byte value) is 1 cluster(s) Starting cluster (3-byte value) is #131,674 Remainder of Attribute field (possibly fill or 32-bit alignment...) 0373: 00 01 00 ... ATTRIBUTE #5 ($LOGGED_UTILITY_STREAM) -------------------- HEADER -------------------- 0376-0379 Attribute type: 0x00-01-00-00 [$LOGGED_UTILITY_STREAM] 0380-0383 Attribute length: 0x50-00-00-00 [80 bytes] 0384 Non-resident flag: 0x01 [Attribute is non-resident] 0385 Name length: 0x04 [4 16-bit characters] 0386-0387 Offset to name: 0x40-00 [64 bytes] 0388-0389 Flag: 0x00-00 -- (None) 0390-0391 Attribute identifier: 0x06-00 [6] 0392-0399 Runlist starting VCN: 0x00-00-00-00-00-00-00-00 [0] 0400-0407 Runlist ending VCN: 0x00-00-00-00-00-00-00-00 [0] 0408-0409 Offset to runlist: 0x48-00 [72 bytes] 0410-0411 Compression unit size: 0x00-00 [no compression] 0412-0415 Unused: 0x00-00-00-00 0416-0423 Allocated attribute content size: 0x00-10-00-00-00-00-00-00 [4,096 bytes] 0424-0431 Actual attribute content size: 0x20-02-00-00-00-00-00-00 [544 bytes] 0432-0439 Initialized attribute content size: 0x20-02-00-00-00-00-00-00 [544 bytes] 0440-0447 Name: 0x24-00-45-00-46-00-53-00 [$EFS] 0448-0452 Run list #1: 0x31-01-D0-A2-00 Run length (1-byte value) is 1 cluster(s) Starting cluster (3-byte value) is #41,680 Remainder of Attribute field (possibly fill or 32-bit alignment...) 0453: 00 01 00 ... 0456-0459 Attribute type: 0xFF-FF-FF-FF [END_OF_ATTRIBUTE_LIST] Remainder of MFT contents... 0460: 82 79 47 11 00 00 00 00 00 00 00 00 00 C0 1D F3 .yG..........À.ó 0476: 5B 47 41 F8 00 01 00 00 50 00 00 00 01 04 40 00 [GAø....P.....@. 0492: 00 00 06 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0508: 00 00 5B 01 48 00 00 00 00 00 00 00 00 10 00 00 ..[.H........... 0524: 00 00 00 00 20 02 00 00 00 00 00 00 20 02 00 00 .... ....... ... 0540: 00 00 00 00 24 00 45 00 46 00 53 00 31 01 D0 A2 ....$.E.F.S.1.Т 0556: 00 00 01 00 FF FF FF FF 82 79 47 11 00 00 00 00 ....ÿÿÿÿ.yG..... 0572: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0588: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0604: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0620: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0636: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0652: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0668: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0684: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0700: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0716: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0732: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0748: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0764: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0796: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0812: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0828: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0844: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0860: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0876: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0892: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0908: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0924: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0940: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0956: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0972: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0988: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 1004: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 1020: 00 00 5B 01 ..[.