Initialize $MFT Records… with WinHex

Initialize MFT Records: On NTFS volumes, WinHex can clear all currently unused $MFT (Master File Table) FILE records, which may contain metadata (e.g. names) and even contents of previously existing files. Available in WinHex only, not in X-Ways Forensics.

X-Ways Forensics/WinHex Manual (Updated 2021-12-31), Page 71

For this simple demonstration, I’m using a 32 GB SanDisk Ultra Fit formatted with an NTFS volume.

An existing text file resides within the $MFT at record 43, or starting at disk offset 3221269504.

After deleting the file, “corgi_note.txt”, the $MFT entry is updated with a “deleted” flag, 0x0000, at record offset 22.1 Updating the Volume Snapshot, WinHex will describe that file as a previously existing. Note that the resident data remains.

Lets start by opening the target NTFS volume.

1) Select Tools | Open Disk.

2) Select the target NTFS volume. In this example, the volume is “Test NTFS.”

3) With the volume open in WinHex, select Tools | Disk Tools | Initialize MFT Records…

4) Options are available. Descriptions of these options are documented in the manual on page 201. For this example, I’m going to fill with hex values with a constant byte value, 0x00.

This will result in an MFT record overwritten with 0x00 throughout the record after the $END attribute marker, 0xFFFFFFFF2,3.

If the need arises, you can use enter up to 16 two-digit hex values.

  1. Brian Carrier, File System Forensic Analysis (Upper Saddle River, NJ: Addison-Wesely, 2005), 353.
  2. Kes. Everything I know about NTFS. Accessed January 19, 2022.
  3. QuinnRadich et al. “Master File Table.” (Developer Notes) – Win32 apps | Microsoft Docs, January 6, 2021.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.