Automatically generated based on tag:

TitleTypeSummaryLocation
NTFS - $I30 ($INDEX_ROOT, $INDEX_ALLOCATION, and $Bitmap) Page The NTFS index attributes $INDEX_ROOT and $INDEX_ALLOCATION are MFT attributes that represent directories and store index records.

Each file in a directory is associated with an index record. The record contains information on the file it references in a $FILE_NAME (0x30) attribute: file name, size, parent directory and a set of MACB timestamps (copied from the MFT file record $STANDARD_INFORMATION of the file).
MFT $INDEX_ROOT, $INDEX_ALLOCATION, and $Bitmap attributes.
NTFS - $LogFile Page The $LogFile is part of a journaling feature of NTFS, activated by default, which maintains a low-level record of changes made to the NTFS volume with very limited historical data (usually only of the last few hours). <ROOT>\$LogFile
NTFS - $MFT, $MFTMir, and $Bitmap Page The Master File Table (MFT) is the main element of any NTFS partition and contain a file record for all existing (and very recently deleted) files written on the partition.

The $MFTMirr file is the first entry in the MFT and contains the first 4 entries of the MFT as a recovery mechanism.

The $Bitmap file tracks the allocation status (allocated or unused) of the clusters of the volume.
<ROOT>:\$MFT

<ROOT>:\$MFTMir

<ROOT>:\$Bitmap
NTFS - $Secure Page The $Secure file contains the security descriptor for all the files and folders on a NTFS volume. <SYSTEMDRIVE>:\$Secure
NTFS - MACB timestamps and timestomping Page On NTFS filesystems, each file posses (at least) two attributes that hold (among other information) Modification, Access, Change and Birth (MACB) timestamps: $STANDARD_INFORMATION and $FILENAME attributes.

The $STANDARD_INFORMATION and $FILENAME timestamps are not updated similarly depending on the operation.

Timestomping is the action of modifying the timestamps of a file, generally to evade detection.

Timestomping may be detected using a number of techniques:
- Identifying $STANDARD_INFORMATION timestamps older than $FILENAME timestamps.
- Using UsnJrnl records.
- Identifying non nano-second precise $STANDARD_INFORMATION timestamps.
- Using MFT entry numbers.

However each technique is prone to false-positives and false-negatives.
A given file may be associated with up to 20 timestamps: $STANDARD_INFORMATION + 2 * $FILENAME + 2 * NTFS $I30 $FILENAME (duplicate $FILENAME for files with short and long names).
NTFS - UsnJrnl Page The USN Journal is a feature of NTFS, activated by default on Vista and later, which maintains a record of changes made to the NTFS volume.

The $J stream stores the actual change log records, with usually historical data of the last few days.

Each change log record is notably composed of: the timestamp, filename, and reason / operation of the change.

Additionally, each change log record contains the MFT "entry" and "sequence" numbers and the direct parent "entry" and "sequence" numbers of the file concerned by the change, making it is possible to retrieve the location of the file using the MFT. The UsnJrnl can be "rewinded" to exhaustively and accurately rebuild the location of every files in the journal.
$Max and $J named data streams under <ROOT>\$Extend\$UsnJrnl


View on GitHub