Master file table
A filesystem contains a lot of different artifacts that can help us in our investigation process. Furthermore, Windows Registry and various logs are also part of the filesystem, but as they are quite complex, we're going to look at them separately.
The most common filesystem type you'll face during your ransomware attacks investigations is the New Technology File System (NTFS). Currently, this is the most common filesystem for Windows, which as you already know, is the main target of ransomware affiliates. Despite the fact that there is an increased interest in Linux systems, usually the threat actors get there through Windows infrastructure compromise, so we'll focus on this operating system.
As incident responders, we're very interested in metadata analysis, so let's dive into one of the core components of NTFS – the Master File Table (MFT). It contains information about filenames, locations, sizes, and, of course, their timestamps...
