Contact: 0845 882 7386
Email: enquiries@athenaforensics.co.uk

Athena Forensics

Computer and Mobile Phone Forensic Expert Investigations and Examinations

Master File Table (MFT)

· ·

What is the Master File Table?

When files are stored on a Windows computer using the NTFS file system, such as images or documents, physical clusters are allocated to the file and the location of the clusters containing the file are recorded within the Master File Table (MFT) that is maintained by the operating system.

The NTFS file system is journaling and uses an NTFS $Logfile to record the changes to the volume it is contained on.

The Location of the Master File Table

The Master File Table (MFT) is located at the beginning of the volume and provides an ‘index’ of all live and active data that is present on the drive. These files are referred to as existing in the live clusters of that drive.

A Brief Outline of How the Master File Table Functions

When the file is required, the location of it is identified from the Master File Table (MFT) and recovered without needing for the entire content of the drive to be searched.

If the file is later required for use, its location on the drive is read from the MFT and speedily recovered without the need for searching throughout the entire contents of the drive. Such files are referred to as existing in ‘live’ clusters.

What Happens to an Entry in the Master File Table if a File is Deleted

If a file is deleted by the system or manually by the user, the data relating to it is not removed from the device, however, the entry relating to the file is altered within the Master File Table (MFT) and the space previously allocated to the file within the MFT and the data relating to the file itself becomes available for a new entry and data to be stored.

If the entry within the Master File Table (MFT) is used then the data relating to the old file becomes ‘unallocated’ but can still be recovered using specialist software (such as the software used as part of Computer Forensic Investigations).

When the data relating to the old file is overwritten by a new file then the old file is no longer recoverable even with specialist software.

About Athena Forensics

For information on our digital forensic services or if you require any advice or assistance please contact a member of our team on 0845 882 7386 or via email on enquiries@athenaforensics.co.uk, further details are available on our contact us page.

Our client’s confidentiality is of the utmost importance. All correspondence is treated with discretion, from initial contact to the conclusion of any computer forensics investigation.

Our digital forensics experts are fully aware of the significance and importance of the information that they encounter and we have been accredited to ISO 9001 for 10 years.

Our forensic experts are all security cleared and we offer non-disclosure agreements if required. Our premises along with our security procedures have been inspected and approved by law enforcement agencies.

Athena Forensics do not disclose personal information to other companies or suppliers.

https://athenaforensics.co.uk

https://athenaforensics.co.uk/service/mobile-phone-forensic-experts/

https://athenaforensics.co.uk/service/computer-forensic-experts/

Expert Witness Institute - Athena Forensics The Expert Witness Institute Logo
British Computer Society Logo - Athena Forensics BCS Chartered Institute for IT Logo
Chartered Society of Forensic Science Logo - Athena Forensics Chartered Society of Forensic Science Institute Logo
ACS Registrars Logo - Athena Forensics ACS Registrars ISO 9001 Logo
UK Register of Expert Witnesses - Athena Forensics Registered UK Register of Expert Witnesses Logo
Sweet and Maxwell Checked Logo - Athena Forensics 2017 Sweet & Maxwell Logo
We offer a free initial consultation that can greatly assist in the early stages of an investigation. To discuss your specific requirements please call us on 0845 882 7386, email: enquiries@athenaforensics.co.uk or click on the link below.

Contact Us