34 File Entries on a Brand New $MFT
So recently there was a request on a DFIR mailing list about recovering $MFT FILE records.
That got me thinking about the creation of the $MFT so I added a new virtual drive to a VM and formatted it.
Here are the entries I found on a brand new $MFT:
"0","File","/$MFT"
The master file table (MFT) stores the information required to retrieve files from an NTFS partition.
https://msdn.microsoft.com/en-us/library/bb470206%28v=vs.85%29.aspx
"1","File","/$MFTMirr"
This is a system file that duplicates at least the first four FILE records of the MFT for recovery purposes.
http://0cch.net/ntfsdoc/files/mftmirr.html
"2","File","/$LogFile"
The NTFS log file is a circular log of all file operations, kept on disk so that unsuccessful operations can be rolled back safely.
http://ntfs.com/transaction.htm
"3","File","/$Volume"
Contains information about the volume, such as the volume label and the volume version.
http://www.writeblocked.org/resources/ntfs_cheat_sheets.pdf
"4","File","/$AttrDef"
Lists attribute names, numbers, and descriptions.
http://www.writeblocked.org/resources/ntfs_cheat_sheets.pdf
"5","Folder","/."
Root folder.
"6","File","/$Bitmap"
Keeps track of all of the used and unused clusters on an NTFS volume.
https://whereismydata.wordpress.com/2009/06/01/forensics-what-is-the-bitmap/
"7","File","/$Boot"
"Boot Sector" Bootable partition that stores information about the layout of the volume and the file system structures, as well as the boot code that loads Ntdlr.
https://technet.microsoft.com/en-us/library/cc781134(WS.10).aspx
"8","File","/$BadClus"
NTFS puts the address of the cluster containing the bad sector in the bad cluster file, $BadClus, in the MFT so that the bad sector is not reused.
https://technet.microsoft.com/en-us/library/cc781134(WS.10).aspx
"8","File","/$BadClus:$Bad"
Alternate Data Stream of $BadClus.
"9","File + Unknown2","/$Secure"
The Security Descriptor Stream ($SDS) contains a list of all the Security Descriptors on the volume.
http://0cch.net/ntfsdoc/files/secure.html
"9","File + Unknown2","/$Secure:$SDS"
"10","File","/$UpCase"
This is a 128KB file full of capital letters. For each character in the Unicode alphabet, there is an entry in this file. It is used to compare and sort filenames.
http://0cch.net/ntfsdoc/files/upcase.html
"10","File","/$UpCase:$Info"
"11","Folder","/$Extend"
This is a directory containing the Metadata files: $ObjId, $Quota, $Reparse and $UsnJrnl
http://0cch.net/ntfsdoc/files/extend.html
"12","File","NoFNRecord"
"13","File","NoFNRecord"
"14","File","NoFNRecord"
"15","File","NoFNRecord"
"24","File + Unknown1 + Unknown2","/$Extend/$Quota"
"25","File + Unknown1 + Unknown2","/$Extend/$ObjId"
"26","File + Unknown1 + Unknown2","/$Extend/$Reparse"
"27","Folder","/$Extend/$RmMetadata"
"28","File + Unknown1","/$Extend/$RmMetadata/$Repair"
"28","File + Unknown1","/$Extend/$RmMetadata/$Repair:$Config"
"29","Folder","/$Extend/$RmMetadata/$TxfLog"
"30","Folder","/$Extend/$RmMetadata/$Txf"
"31","File","/$Extend/$RmMetadata/$TxfLog/$Tops"
"31","File","/$Extend/$RmMetadata/$TxfLog/$Tops:$T"
"32","File","/$Extend/$RmMetadata/$TxfLog/$TxfLog.blf"
"33","File","/$Extend/$RmMetadata/$TxfLog/$TxfLogContainer00000000000000000001"
"34","File","/$Extend/$RmMetadata/$TxfLog/$TxfLogContainer00000000000000000002"