What is the Master File Table?
When files are stored on a Windows computer using the NTFS file system, such as images or documents, physical clusters are allocated to the file and the location of the clusters containing the file are recorded within the Master File Table (MFT) that is maintained by the operating system.
The NTFS file system is journaling and uses an NTFS $Logfile to record the changes to the volume it is contained on.
The Location of the Master File Table
The Master File Table (MFT) is located at the beginning of the volume and provides an ‘index’ of all live and active data that is present on the drive. These files are referred to as existing in the live clusters of that drive.
A Brief Outline of How the Master File Table Functions
When the file is required, the location of it is identified from the Master File Table (MFT) and recovered without needing for the entire content of the drive to be searched.
If the file is later required for use, its location on the drive is read from the MFT and speedily recovered without the need for searching throughout the entire contents of the drive. Such files are referred to as existing in ‘live’ clusters.
What Happens to an Entry in the Master File Table if a File is Deleted
If a file is deleted by the system or manually by the user, the data relating to it is not removed from the device, however, the entry relating to the file is altered within the Master File Table (MFT) and the space previously allocated to the file within the MFT and the data relating to the file itself becomes available for a new entry and data to be stored.
If the entry within the Master File Table (MFT) is used then the data relating to the old file becomes ‘unallocated’ but can still be recovered using specialist software (such as the software used as part of Computer Forensic Investigations).
When the data relating to the old file is overwritten by a new file then the old file is no longer recoverable even with specialist software.
About Athena Forensics
For information on our digital forensic services or if you require any advice or assistance please contact a member of our team on 0845 882 7386 or via email on firstname.lastname@example.org, further details are available on our contact us page.
Our client’s confidentiality is of the utmost importance. All correspondence is treated with discretion, from initial contact to the conclusion of any computer forensics investigation.
Our digital forensics experts are fully aware of the significance and importance of the information that they encounter and we have been accredited to ISO 9001 for 10 years.
Our forensic experts are all security cleared and we offer non-disclosure agreements if required. Our premises along with our security procedures have been inspected and approved by law enforcement agencies.
Athena Forensics do not disclose personal information to other companies or suppliers.