What NTFS metadata file contains details about files and directories, and how is it used in forensics?

The Master File Table is the NTFS metadata file that holds essential information about every file and directory on the volume. Each file or directory has a record in the MFT that includes attributes such as timestamps (creation, modification, last access, metadata change), the file size, and a reference to its parent directory, which together define the file system’s structure and history. In forensics, this provides a durable map of what existed, allowing investigators to reconstruct when files appeared, were renamed or moved, or changed in size, and how items relate to one another. Because MFT records are typically preserved until overwritten, deleted files can still be inferred or recovered by examining the entries marked as deleted and their attribute values, making the MFT a primary source for file-level metadata in analysis. While other NTFS artifacts like the USN Journal and Recycle Bin index offer complementary change history and deletion information, the MFT is the central repository of file and directory metadata used to establish timelines and the file system's structure.