# MFT

{% embed url="<https://app.hackthebox.com/sherlocks/BFT/play>" %}

{% embed url="<https://cavementech.com/2022/05/mft-forensics.html>" %}
Introduction to MFT Forensics
{% endembed %}

There are two methods of opening our MFT file. One is utilising MFTExplorer, The second is to convert our MFT into a CSV file using MFTeCMD and then import it into TimeLine Explorer

### MFT Tools

{% embed url="<https://ericzimmerman.github.io/#!index.md>" %}

### MFTECmd

MFTeCMD is a tool developed by Eric Zimmerman that specializes in parsing the Master File Table from NTFS file systems. It extracts detailed information stored in the MFT entries, presenting them in a more digestible and analyzable format

```
C:\Users\Hp\Downloads\BFT>MFTECMD.exe -f "$MFT" --csv "C:\Users\Hp\Downloads\BFT" --csvf mft.csv
MFTECmd version 1.2.2.1

Author: Eric Zimmerman (saericzimmerman@gmail.com)
https://github.com/EricZimmerman/MFTECmd

Command line: -f $MFT --csv C:\Users\Hp\Downloads\BFT --csvf mft.csv

Warning: Administrator privileges not found!

File type: Mft

Processed $MFT in 18.1653 seconds

$MFT: FILE records found: 171,927 (Free records: 142,905) File size: 307.5MB
        CSV output will be saved to C:\Users\Hp\Downloads\BFT\mft.csv
```

Now we have a csv file. We can use the Timeline Explorer.

### Time Explorer

Timeline Explorer is a tool designed for viewing, filtering, and analysing timelines during digital forensic investigations. It is often used to review large sets of event logs, file system records, and other timestamped data extracted during a forensic analysis

You can open the time explorer now and use it to analyse MFT records by applying different filters

<figure><img src="https://195908312-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fngh2Qug3BBWIjUTvw9ZY%2Fuploads%2FpK7Y2MRsy79PtK7sAgRi%2Fimage.png?alt=media&#x26;token=0e9aeb50-aa72-4c01-af00-fcab77ca71c0" alt=""><figcaption></figcaption></figure>