How Does Windows 7 handle the MFT? RRS feed

  • Question

  • I am currently studying forensics and have encountered an interesting problem. There seems to be a disparity between the way XP and Windows 7 handle the MFT. My understanding is that the MFT should have a reference for every file/folder that is on a drive. Resident files, those under 1024 bytes will be held in total and non-resident, those above 1024 bytes will have reference information (metadata) and then the location of the beginning of the file elsewhere in the drive.

    Examining an XP system, I created a small text file and saved it to c:\. I then opened a forensics specific application and examined the drive. I located the MFT and the file I created in the root. I then saved a copy of the MFT. The application provides information relating to modification date of the MFT, which indicated the current date, resulting from the newly saved file. I then opened the saved copy of the MFT in Hex Workshop and was able to perform a string search for the text file I created. It quickly found the file and I was able to research the information I needed.

    Here's the situation with Windows 7. I did the exact same actions with a Windows 7 OS. Same text file, same programs. I opened the forensics program and was able to again see the MFT and the text file. I saved the MFT, but noticed that the MFT modification date had NEVER been changed from the clean install I performed on the system. I have made multiple changes to the File System (added directories/folders/new docs, etc), but the date showed it had never been modified. After I saved the MFT, I opened the saved file in Hex Workshop, performed the string search for the file and it was not there. The MFT is exceptionally small, compaired to the XP. None of the directories/folders/files that I had created were present in the MFT.

    What am I missing? How does Windows 7 handle the MFT, which I understand to be the all file entries in an NTFS system?

    Friday, October 28, 2011 12:05 AM