Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

SECRET//20340424
Appendix B: (U) Forensic Terms
$MFT - Master File Table is a relational database of all files, folders, and system
structures contained on an NTFS volume. In NTFS, everything on a volume is a file. The
$MFT is the master index for the entire volume.
$MFT Records - Each $MFT entry contains information about a file or directory. There
are three types of records: File records, Directory Records, and Metadata Records. File
Records store information about files. Directory Records store and index file names.
Metadata Records contain system and file structure information. Each record is a series of
attributes.
$MFTMirr - $MFT Mirror File is a copy of the first four $MFT records used for
recovery purposes. It provides an alternate means of accessing the essential volume
structures should the $MFT become damaged. The mirror file contains $MFT records for
the $MFT, MFTMirr, $LogFile, and $Volume files.
$LogFile - Log File is used to protect critical system data not user data. NTFS uses a
transaction based checkpoint logging system to track any changes to the volume structure.
A transaction is any operation that alters a file on an NTFS volume. The $LogFile is a
database containing RCRD and RSTR records. The RSTR records contain information
needed in the event that the files system needs to be recovered. RSTR are referred to as
Re-do and Un-do information. The RCRD are called infinite logging records since they are
continually reused. RCRD contain transaction information until committed to disk.
Fragments of data are commonly found in the $LogFile.
$Volume - $Volume record contains the volume name and volume attributes.
$AttrDef - Attribute Definitions is a file that lists the NTFS attributes supported on the
current volume, including additional information about each attribute.
$Bitmap -$Bitmap file is a simple cluster map showing which clusters are allocated and
which clusters are not.
$Boot - Boot Sector is the Volume Boot Record for the volume. $Boot points to the boot
sector VBR.
$Badclus - Bad Cluster Map maps the location of any known bad clusters on the disk.
$Secure - $Secure is an NTFS database containing security information for all files and
directories in the volume. The security descriptors database is maintained in a series of
alternate data streams, $SDS Data Stream, $SDH Index, and $SII Index.
SECRET//20340424
11

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh