This is a mirror of official site: http://jasper-net.blogspot.com/

NTFS - MFT - deleted files

Posted by jasper22 at 10:46 | Tuesday, May 4, 2010
Some time ago I needed to write some code to scan NTFS File table to find which files had been deleted from the disk (marked as deleted) and list them.

Since there's little information available about the MFT structure, data runs and, on the other hand, no article (at least that i had found) about some .net code to get this, i decided to post this article.

Since there are few articles about this, it took me long time to have this code working, some pieces could have been done differently, feel free to make your suggestions.
Background

You can find more information about NFTS structure at www.NTFS.com. Also this article (http://comunidad.dragonjar.org/f157/taller-forensic-ii-ntfs-7688/) helped me underestand some other things..
1-NTFS Basics

Ntfs is the file system proprietary to Windows XP Vista 2003 2000 NT & Windows 7, which supports file-level security, compression and auditing. It also supports large volumes and powerful storage solution such as RAID.

The most important new feature of NTFS is the ability to encrypt files and folders to protect your sensitive data.

I won't go very deep inside the NFTS structure, I'll just explain some topics that are used in this example.
2-Partition Boot Sector
(some description taken from NTFS.com)

When you format an NTFS volume, the format program allocates the first 16 sectors for the boot sector and the bootstrap code.

Read more: Codeproject

Posted via email from jasper22's posterous

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)