Initialize MFT Records: On NTFS volumes, WinHex can clear all currently unused $MFT (Master File Table) FILE records, which may contain metadata (e.g. names) and even contents of previously existing files. Available in WinHex only, not in X-Ways Forensics.X-Ways Forensics/WinHex Manual (Updated 2021-12-31), Page 71
For this simple demonstration, I’m using a 32 GB SanDisk Ultra Fit formatted with an NTFS volume.
An existing text file resides within the $MFT at record 43, or starting at disk offset 3221269504.
After deleting the file, “corgi_note.txt”, the $MFT entry is updated with a “deleted” flag, 0x0000, at record offset 22.1 Updating the Volume Snapshot, WinHex will describe that file as a previously existing. Note that the resident data remains.
Lets start by opening the target NTFS volume.
1) Select Tools | Open Disk.
2) Select the target NTFS volume. In this example, the volume is “Test NTFS.”
3) With the volume open in WinHex, select Tools | Disk Tools | Initialize MFT Records…
4) Options are available. Descriptions of these options are documented in the manual on page 201. For this example, I’m going to fill with hex values with a constant byte value, 0x00.
This will result in an MFT record overwritten with 0x00 throughout the record after the $END attribute marker, 0xFFFFFFFF2,3.
If the need arises, you can use enter up to 16 two-digit hex values.
- Brian Carrier, File System Forensic Analysis (Upper Saddle River, NJ: Addison-Wesely, 2005), 353.
- Kes. Everything I know about NTFS. Accessed January 19, 2022. https://kcall.co.uk/ntfs/index.html.
- QuinnRadich et al. “Master File Table.” (Developer Notes) – Win32 apps | Microsoft Docs, January 6, 2021. https://docs.microsoft.com/en-us/windows/win32/devnotes/master-file-table.