MFT template for mftparser
Gary C. Kessler, 6/6/2012

NOTE: Numbers are interpreted in little endian, hex fields are interpreted
in byte-order, and binary fields are displayed in hex and ASCII

The format for a Master File Table record is too complicated to describe
here so I will merely give a high-level overview and point to some
reference material.

An MFT record is always 1024 bytes in length and has two parts, namely the
Header and the Contents.

The MFT Header appears to be nominally 42 bytes in length but is usually
longer; the offset_to_first_attribute field is the true indicator. The
Header format, then, is generally:

MFT HEADER

Beg  End  Type    Purpose
----  ----  ------  -------------------------------------------------------
0000  0003  Binary  Signature ("FILE"; "BAAD" denotes bad entry)
0004  0005  Number  Offset to fixup array
0006  0007  Number  Number of entries in fixup array
0008  0015  Number  $LogFile sequence number
0016  0017  Number  Sequence value
0018  0019  Number  Link count
0020  0021  Number  Offset to first attribute
0022  0023  Hex     Flags (in-use, directory)
0024  0027  Number  Used size of MFT entry
0028  0031  Number  Allocated size of MFT entry
0032  0039  Number  File reference to base record
0040  0041  Number  Next attribute identifier
0042  0043  Hex     (Fill)
0043  0047  Number  MFT record number
0048  0049  Number  Fixup array sequence number
0050  ????  Hex     Fixup array entries (see bytes 6-7)

MFT CONTENTS

The MFT contents comprise Attributes, each of which has a Header and
Content. If the Attribute's Content is included in this MFT record, the
Attribute is said to be resident; if the Content is outside of this MFT
record, the Attribute is said to be non-resident.

ATTRIBUTE HEADER (COMMON)

Beg  End  Type    Purpose
---  ---  ------  ---------------------------------------------------------
000  003  Number  Attribute type identifier
004  007  Number  Attribute length
008       Hex     Non-resident flag (0=resident)
009       Number  Length of name
010  011  Number  Name location (offset)
012  013  Hex     Flags
014  015  Number  Attribute identifier


ATTRIBUTE HEADER (RESIDENT)

Beg  End  Type    Purpose
---  ---  ------  ---------------------------------------------------------
016  019  Number  Size of content
020  021  Number  Content location (offset)


ATTRIBUTE HEADER (NON-RESIDENT)

Beg  End  Type    Purpose
---  ---  ------  ---------------------------------------------------------
016  023  Number  Starting virtual cluster number (VCN) of runlist
024  031  Number  Ending VCN of runlist
032  033  Number  Offset to runlist
034  035  Number  Compression unit size
036  039  Number  Unused
040  047  Number  Allocated size of attribute content
048  055  Number  Actual size of attribute content
056  063  Number  Initialized size of attribute content
063  ???  Mixed   Runlists


ATTRIBUTE TYPES

The program recognizes the following Attribute Types:

Dec   Hex  Type
---  -----  --------------------------------------------------
 16  0x010  $STANDARD_INFORMATION
 32  0x020  $ATTRIBUTE_LIST
 48  0x030  $FILE_NAME
 64  0x040  $VOLUME_VERSION/$OBJECT_ID
 80  0x050  $SECURITY_DESCRIPTOR
 96  0x060  $VOLUME_NAME
112  0x070  $VOLUME_INFORMATION
128  0x080  $DATA
144  0x090  $INDEX_ROOT
160  0x0A0  $INDEX_ALLOCATION
176  0x0B0  $BITMAP
192  0x0C0  $SYMBOLIC_LINK/$REPARSE_POINT
208  0x0D0  $EA_INFORMATION
224  0x0E0  $EA
256  0x100  $LOGGED_UTILITY_STREAM


The Attribute Contents will depend, obviously, on the attribute type. The
program will only display contents when they are resident.

Beyond this, all bets are off. Some useful resources include:

  o  "File System Forensic Analysis," Brian Carrier
  o  http://msdn.microsoft.com/en-us/library/bb470206%28VS.85%29.aspx
  o  dubeyko.com/development/FileSystems/NTFS/ntfsdoc.pdf
  o  http://www.reddragonfly.org/ntfs/concepts/file_record.html
  o  http://www.reddragonfly.org/ntfs/concepts/data_runs.html
  o  http://inform.pucp.edu.pe/~inf232/Ntfs/ntfs_doc_v0.5/concepts/
       attribute_header.html
  o  http://www.ntfs.com/ntfs_basics.htm

Also, take a look at http://support.citrix.com/article/CTX109645 for
information on converting NT time to Unix epoch time.


