$MFT (Master File Table)

windowsFilesystem & TimelineDisk Image

Location

\\.\C:\$MFT

Description

NTFS Master File Table containing a record for every file and directory on the volume, including timestamps (created, modified, accessed, entry-modified), file size, parent directory reference, and resident data for small files.

Forensic Value

Comparing $STANDARD_INFORMATION and $FILE_NAME timestamps detects timestomping -- if SI timestamps are older than FN timestamps, manipulation is confirmed. Deleted file records remain in the MFT until overwritten, enabling recovery of attacker-deleted tools. The full directory tree can be reconstructed even from a dead disk.

Tools Required

KAPEMFTECmd (Eric Zimmerman)AutopsyanalyzeMFT

Related Blockers

Critical Logs Rotated/Overwritten Before Collection

Key log files (Security EVTX, web server access logs, syslog) have been rotated out or overwritten due to aggressive retention settings, high volume, or attacker manipulation. The evidence window for those sources is now closed.

M365/Azure Logs Past Retention Period

Unified Audit Log (UAL) entries in Microsoft 365 or Azure AD sign-in logs have expired beyond the default 90-day (E3) or 180-day (E5) retention window. Historical evidence of initial access, mailbox abuse, or OAuth consent grants is no longer available in the tenant.

SIEM Not Ingesting Relevant Log Sources

The SIEM does not ingest logs from the affected systems, applications, or network segments. Correlation, alerting, and historical search capabilities are unavailable for the evidence sources most relevant to this incident.

Need Data from External Vendor or MSP

Critical evidence resides with a third-party managed service provider, SaaS vendor, or hosting company. Your team has no direct access and must navigate contractual, legal, and technical hurdles to obtain logs or images.

Attacker Used Timestomping, Log Clearing, or Other Anti-Forensics

Evidence of deliberate anti-forensic activity has been found: timestamps modified, event logs cleared, prefetch/shimcache wiped, or tools designed to defeat forensic analysis were executed. Standard timeline analysis may be unreliable.

Regulatory Notification Deadline Approaching

A regulatory reporting deadline (GDPR 72-hour, SEC 4-day, state breach notification, HIPAA) is imminent and the investigation has not yet determined the full scope of data exposure. The team must balance thorough investigation against mandatory disclosure timelines.

Backups May Be Compromised -- Cannot Trust for Recovery

Backup integrity is uncertain. The attacker may have been present in the environment long enough to have compromised backup copies, planted persistence mechanisms in backup images, or encrypted/deleted backup repositories.