A Deep Dive into Windows File System Forensics#

In digital forensics and incident response (DFIR), disk-level artifacts form the backbone of timeline reconstruction and attacker attribution. Unlike memory or logs that roll quickly, NTFS metadata persists, leaving behind breadcrumbs of activity even after attackers attempt cleanup.

This guide explores the core NTFS artifacts ($MFT, $LogFile, $UsnJrnl, VSS, Recycle Bin, File Slack, and ADS), with emphasis on locations, forensic meaning, structure, anti-forensics, tools, and workflows. It’s written for practitioners who already know the basics and need operational depth.

⚡ Quick Triage Workflow (30-Minute IR Playbook)#

If time-constrained in a live incident:

  1. Dump $MFT → establish global file activity timeline.
  2. Parse $UsnJrnl → detect mass operations (ransomware staging).
  3. Validate with $LogFile → recover volatile metadata changes.
  4. Check VSS → attempt recovery of pre-encryption/deleted files.
  5. Pull Recycle Bin → attribute deletions to users.
  6. Scan ADS → detect stealth/persistence mechanisms.
  7. If time allows → carve unallocated/slack space.

Artifact Deep Dives#

1. $MFT (Master File Table)#

Location:

C:\$MFT   (MFT entry #0)

Description / Structure (deep):

  • Record layout: Default 1024-byte records (“FILE” signature, fix-up/Update Sequence Array (USA), sequence number, hard-link count, first attribute offset).
  • Attributes you’ll see most:
    • $STANDARD_INFORMATION (SI): 4 timestamps (MACB) + flags (read-only, hidden, etc.).
    • $FILE_NAME (FN): Name, parent reference, another set of MACB times; multiple FN attributes exist for long/short names & hard links.
    • $DATA: resident (small files stored inside the MFT record) vs. non-resident (uses data runs mapping Virtual Cluster Numbers (VCN) → Logical Cluster Numbers (LCN)).
    • $INDEX_ROOT, $INDEX_ALLOCATION, $BITMAP: directory index ($I30) contents & allocation.
    • Others you’ll encounter: $OBJECT_ID, $REPARSE_POINT (junctions/symlinks), $ATTRIBUTE_LIST (spills attributes into extension records for very “busy” files).
  • Linkage: File Reference Number (FRN) = 48-bit MFT record + 16-bit sequence; used by $UsnJrnl; Parent FRN stored in $FILE_NAME.
  • Integrity aids: USA fix-ups catch torn-write corruption; sequence number increments on reuse (helps detect stale references).

Forensic Value:

  • Timeline anchor for every file/dir; dual timestamp families (SI vs FN) expose manipulation attempts.
  • Resident data surfaces tiny droppers/configs that never touch clusters.
  • Parent FRN ties items to directories (fast attribution).

Anti-Forensics:

  • Timestomping often edits SI only; FN remains truthful (compare them).
  • Direct MFT tampering (rare, advanced) can zero attributes or flip flags.
  • Over-allocation tricks and odd data runs can hide content in sparse files.

Workflow:

  1. Dump MFT with MFTECmd:
    MFTECmd.exe -f C:\$MFT --csv MFT.csv
  2. Filter for target paths/users; compare SI vs FN times.
  3. Pivot FRNs into $UsnJrnl and LSNs into $LogFile to corroborate.

Red Flag: SI and FN times don’t agree (e.g., created-after-deleted or FN shows earlier real times).

Pro Tip: Files < ~700B may be fully resident. Export $DATA directly from MFT—no “deleted file carving” needed.

2. $LogFile (NTFS Transaction Log)#

Location:

C:\$LogFile   (MFT entry #2)

Default size ≈ 64 MB on many systems (tunable via chkdsk /L:size).

Description / Structure (deep):

  • Built on NTFS Logging File Service (LFS).
  • Restart Areas (RSTR) store recovery metadata; Log Record Pages (RCRD) hold redo/undo records.
  • Circular buffer: newest overwrites oldest; retention depends on volume activity and log size (busy servers can churn in minutes).
  • Records reference: target MFT record, attribute type, and cluster ranges (VCN/LCN).
  • Redo/Undo semantics: what changed vs what was there prior (vital for reconstructing “before” states).

Forensic Value:

  • Rebuilds volatile transactions (create/rename/delete/ACL changes) even if the final artifact is gone.
  • Failed transactions reveal aborted tampering.
  • Tracks metadata-only ops attackers rely on to cover tracks.

Anti-Forensics:

  • Attackers exploit short retention (stalling) or attempt deletion/truncation.
  • Some cleaners target $LogFile; still, partial pages and other metadata may survive.

Workflow:

  1. Parse with LogFileParser (Joakim Schicht):
    LogFileParser.exe -f C:\$LogFile -o log.csv
  2. Pivot to MFT record referenced and verify with $UsnJrnl.
  3. Look for create→delete bursts around intrusion windows.

Red Flag: Tight loops of create/rename/delete over the same FRN = tool testing or batch cleanup.

Pro Tip: Use $LogFile to recover pre-rename original names and pre-delete existence—even when nothing remains on disk.

3. $UsnJrnl (Update Sequence Number Journal)#

Location:

C:\$Extend\$UsnJrnl:$J        (change records)
C:\$Extend\$UsnJrnl:$Max      (journal config: MaximumSize, AllocationDelta)

Description / Structure (deep):

  • Sparse file (reports large size; consumes storage as needed).
  • Record versions: USN_RECORD_V2 (legacy) & V3 (modern); contain:
    • USN (monotonic counter), Timestamp (FILETIME), Reason flags (bitmask), SourceInfo, SecurityId, FileAttributes, FileReferenceNumber (FRN), ParentFRN, FileName (Unicode).
  • Reason flags combine (bitwise OR): FILE_CREATE, FILE_DELETE, RENAME_OLD_NAME/NEW_NAME, DATA_OVERWRITE, DATA_EXTEND, BASIC_INFO_CHANGE, SECURITY_CHANGE, CLOSE, etc.
  • Retention: days to weeks depending on MaximumSize and write volume. Truncation resets the USN range; old records can persist in unallocated.

Forensic Value:

  • High-signal change feed for files, including renames (often missed elsewhere).
  • Detect mass operations (encryption staging, exfil packaging).
  • ParentFRN + FileName pairs let you re-assemble moves across dirs.

Anti-Forensics:

  • Truncation/disable attempts; however, carving $J out of unallocated is frequently successful.
  • Attackers relying on rename/copy patterns leave rich fingerprints here.

Workflow:

  1. Parse with MFTECmd:
    MFTECmd.exe -f C:\$Extend\$UsnJrnl:$J --csv usn.csv
  2. Filter by Reason (e.g., FILE_CREATE|DATA_OVERWRITE) and by time windows.
  3. Tie FRN to MFT for ground truth; validate rename sequences (OLD_NAME → NEW_NAME → CLOSE).

Red Flag: A short window with thousands of DATA_OVERWRITE or FILE_CREATE events—classic ransomware staging.

Pro Tip: Always carve unallocated for orphaned USN records after truncation; it’s often the only surviving record of the change burst.

4. Volume Shadow Copies (VSS)#

Location / Access:

\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy#
vssadmin list shadows
mklink /d C:\vss1 \\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy1\

Description / Structure (deep):

  • Architecture roles: Requester (backup app/you), Writer (e.g., NTDS, Registry, SQL), Provider (System/Software/Hardware).
  • Mechanism: Copy-on-write/differential block-level snapshots for NTFS volumes.
  • Storage: Tracked under System Volume Information; capacity governed by shadow storage.
  • Scope: NTFS only; typically enabled on system volumes via System Protection (policy-dependent).

Forensic Value:

  • Time-travel to pre-encryption/pre-deletion states.
  • Recover older registry hives, event logs, and user files.
  • Compare snapshot deltas to map attack progression.

Anti-Forensics:

  • Common attacker move: vssadmin delete shadows /all or direct VSS API calls to purge.
  • Low storage quotas → automatic churn of older copies.

Workflow:

  1. Enumerate (vssadmin list shadows, vssadmin list shadowstorage).
  2. Mount selected snapshots (mklink / Arsenal Image Mounter / libvshadow).
  3. Extract MFT/registry/logs; diff snapshots across time.

Red Flag: Shadow deletion around the time $UsnJrnl shows mass writes → anti-recovery attempt.

Pro Tip: Mount multiple VSCs and run a diff of key artifacts (MFT, SAM/SYSTEM, user profiles) to storyboard the incident.

5. Recycle Bin ($Recycle.Bin)#

Location:

C:\$Recycle.Bin\<SID>\

Description / Structure (deep):

  • Vista+ format: per-user SID folder; each deletion produces paired files:
    • $Ixxxxmetadata (original path, deletion FILETIME, original size).
    • $Rxxxxcontent (the actual deleted file).
  • Pre-Vista: central INFO2 database (legacy; still appears on old images).
  • Per-volume bins: each NTFS volume has its own $Recycle.Bin.

Forensic Value:

  • User attribution of deletions (via SID).
  • Timeline linkage: deletion time vs user logons & tool execution.
  • Even if $I is damaged, $R content can often be recovered.

Anti-Forensics:

  • Shift+Delete or command-line deletion bypasses the bin.
  • Emptying the bin removes pairs, but remnants may persist in unallocated.

Workflow:

  1. Parse with RBCmd:
    RBCmd.exe -d C:\$Recycle.Bin --csv recycle.csv
  2. Cross-check SID with local accounts; tie original path to sensitive targets.

Red Flag: Many $I entries within seconds → scripted cleanup/cover-up.

Pro Tip: Don’t forget non-system volumes (e.g., D:$Recycle.Bin<SID>) when chasing insider deletions.

6. File Slack & Unallocated Space#

Location:

  • File slack: bytes between end-of-file and end of last allocated cluster.
  • Unallocated space: clusters not assigned to any file; contains residual data from deletions.
  • Related: RAM slack (end of last sector) vs drive slack (to cluster boundary).

Description / Structure (deep):

  • Cluster size (e.g., 4 KB) determines slack volume.
  • Deleted MFT entries and old index pages may persist until reused.
  • Registry fragments, log entries, PE headers, and strings commonly survive here.
  • SSD TRIM: the OS/drive may zero unallocated quickly; behavior varies by firmware & workload.
  • BitLocker: You’ll need keys to see plaintext slack on encrypted volumes.

Forensic Value:

  • Recover prior versions of artifacts and malware fragments after deletion.
  • Find partial headers (PDF/ZIP/PE) to seed deeper recovery.
  • Validate that a file once existed even if directory entries are gone.

Anti-Forensics:

  • Overwrite tools target unallocated; TRIM accelerates loss on SSDs.
  • Attackers may fill disk to trigger space pressure (forcing churn).

Workflow:

  1. Carve signatures with Bulk Extractor/Scalpel/PhotoRec.
  2. Hunt registry hive signatures, EVTX magic, MZ/PE headers.
  3. Export hits; correlate with MFT time ranges.

Red Flag: Slack with MZ headers or config strings matching known malware families.

Pro Tip: Run carving after logical analysis; it’s noisy but often yields the missing puzzle piece.

7. Alternate Data Streams (ADS)#

Location / Example:

filename:streamname
C:\Windows\System32\services.exe:evil.dat

Description / Structure (deep):

  • NTFS supports multiple named streams per file; default is :$DATA.
  • Common benign ADS: Zone.Identifier (Mark-of-the-Web) added by browsers/smartscreen; useful to show Internet-origin.
  • Streams don’t affect Explorer file size; ordinary copies may drop them (depends on method and destination FS).

Forensic Value:

  • Hide payloads/configs/scripts under trusted filenames.
  • Can be executed/loaded by LOLBins or scheduled tasks.
  • MOTW/Zone.Identifier can explain SmartScreen prompts and origin.

Anti-Forensics:

  • Attackers store second-stage code in ADS to evade casual review.
  • Migration to non-NTFS (e.g., FAT/exFAT, cloud sync behaviors) can strip streams—an artifact in itself.

Workflow:

  1. Enumerate streams:
    dir /r C:\Windows\System32\
streams.exe -s C:\Windows\System32\
  2. Extract content; analyze for PE/script signatures; attempt safe execution in lab.
  3. Check for Zone.Identifier to infer download vs local origin.

Red Flag: ADS on system binaries (e.g., services.exe, svchost.exe) or on recently dropped tools.

Pro Tip: On suspected staging dirs, recurse with PowerShell to enumerate all streams, excluding :$DATA.

Advanced: The NTFS Triforce Correlation#

The power of NTFS forensics is unlocked when correlating $MFT, $LogFile, and $UsnJrnl.

Workflow:

  1. Detect anomaly in $UsnJrnl (mass operations).
  2. Pivot to $MFT record numbers.
  3. Validate via $LogFile redo/undo.
  4. Rebuild timeline of attacker activity.
  5. Recover deleted files or confirm manipulation.

Practical Applications:

  • Track ransomware staging before detonation.
  • Identify patient zero in mass file changes.
  • Detect timestamp forgery via cross-timestamp validation.

Pro Tip: Always validate across all three — one artifact alone is never enough.

Enhanced Quick Reference Table#

ArtifactLocation/PathRetentionStrengthPriorityTools
$MFTC:\$MFTPermanentTimeline anchor, record linkageHighMFTECmd, MFT Explorer
$LogFileC:\$LogFile3–6 hrs (activity-dependent)Volatile transaction detailMed–HighLogFileParser
$UsnJrnlC:\$Extend\$UsnJrnl:$JDays–weeksMass ops + rename trackingHighMFTECmd, JP
VSS\\?\GLOBALROOT\Device\HarddiskVolumeShadowCopy#VariableHistorical recoveryVery Highvssadmin, Arsenal
Recycle BinC:\$Recycle.Bin\<SID>\User-drivenDeletion attributionMediumRBCmd
File SlackUnallocated/slackUntil overwrite/TRIMDeleted data remnantsLow–MedScalpel, Bulk Extractor
ADSfilename:streamFile lifetimeHidden streams & MOTWHighStreams.exe, ADS Spy

Conclusion#

NTFS artifacts are more than logs — they are the DNA of file system activity.

Key Lessons:

  • Always start with $MFT for the big picture.
  • Use $UsnJrnl for activity patterning.
  • Confirm with $LogFile transactions.
  • Recover with VSS when possible.
  • Never overlook Recycle Bin, slack space, or ADS for attribution and stealth.

Together, these artifacts tell complete attack stories — not fragments.