File Entry Details View

The file entry details view displays an MFT entry. Any file or directory is described by at least one MFT entry. MFT entries are located in a system file called $MFT. This file can be understood as a data base containing every single file or directory. The default size of an MFT entry is 1024 bytes. MFT entries are addressed by an MFT number. For example: retrieving the 100th entry you have to multiply 100 by the record size of 1024 in order to get the offset of the entry within the MFT. The first 16 MFT entries are reserved, most important is entry number 0, which describes the MFT itself and entry number 5, which describes the root directory (.).  

The file entry details view is structured as follows:

In the line underneath the main menu the parent directory of the displayed folders and files is shown with its MFT#, name, attributes, modify date and time, starting cluster of its data area and parent directory's MFT entry #.

On the left side of the screen you see the structure of the MFT entry in a tree with its header, available attributes with the respective header and body.

Clicking on one of these entries will show its interpretation of data in the upper right side and the raw data in hexadecimal on the bottom right side of the screen.

In case the data of an attribute isn't stored resident, the run list is displayed in the "interpretation of data" window. Click on the cluster number(s) to go to the attribute's data.

If the current entry describes a directory, the data interpretation window is enlarged and the following information is given:

• Name is the name of the file.
  Note: A lot of file names are displayed twice, this is due to the fact that a Unicode and a DOS file name are created when the file name is longer than 8 digits.
• MFT# is the number of the file or folder in the master file table (displayed in brackets is the sequence number of the file or folder).
• Size gives the size of the file in bytes.
• Date and Time states the date and time of the last modification of the file or directory.
• Attr represents the attributes of the entry (a = archive flag, r = read only, h = hidden, s = system, l = volume name, d = directory, c = compressed).
• Subs represents the first cluster of the index buffer holding the file entries of the files preceding this file entry.

This view features hotlinks for navigation.

Clicking on the MFT# of a file brings you directly to the file entry details, clicking on the MFT# of a directory entry will bring you to the directory entries of the sub directories and files it contains. To see the MFT entry details for a directory click the MFT# and then check the little "Details" box in the right bottom corner.

To save a directory or file click the "Save" label beneath it, to view a file click "View".

You can view the other windows by checking the "Details" box.

See also: NT File System, View

Introduction    Menu    Main screen    Glossary