MFTRCRD64 Shows More NTFS Timestamps
Recently, working on a legal project I found myself having to explain timestamps for computer files. That’s when I stumbled across Joakim Shicht’s excellent but cryptic Master File Table (MFT) Record decoding tool. And while my particular focus was on file timestamps, a quick look at the help file for this command shows that it can do a lot more than display file metadata. In addition, it can dig into and display many aspects of the MFT itself for any NTFS volume. If this is something of interest to you, download this tool from Github at jschict/MftRcrd. Here’s what it shows about timestamps when I look at an older install.wim file in a temp directory, for example:
In addition to the more usual create and modifed timestamps, you also get MFT entry modified and file last access timestamps, too. Sometimes, when proving dates, all of this info is important.
MFTRCRD64 Shows More NTFS Timestamps … Plus!
Shicht built a very nice interrogation tool for NTFS file metadata (or its equivalent as stored in the MFT), and for on-disk MFT structures themselves. The best way to learn about the command (its readme.txt file is empty: 0 length, that is) is to use the help command — namely:
mftrcrd64 /?
Here’s what that output looks like:
The help file has lots of good examples to guide you into the program’s inner workings. It’s the best way to explore what it can tod for you.
[Click image for full-sized view.]
More MFT Information
To start learning more about the Master File Table (MFT), check out this MS Windows Dev Center article entitled “Master File Table.” NFTS.com is another great source of information, too. Their MFT section is definitely worth reading as well. The NTFS section in Part 2 of Windows Internals (by Mark Russinovich and others) is also worth a look-see (I’ve got the 6th edition, but the 7th edition is out now, too).