Forensics: What happens when files are deleted?

May 2, 2009 — 585

The video below shows what happens when files are deleted on an NTFS partition.

When a file is deleted in NTFS, it is marked as deleted within the MFT entry for that file. The clusters that were allocated to the fille are now marked as free, within the $BitMap

This is shown at offset 22 for 2 bytes; i.e. bytes 22 and 23 of the MFT for that entry.

  • For an active file the 22nd and 23rd offsets read “01 00″  (in the video its flipped because of the big endian/little endian issue)
  • For a deleted file the 22nd and 23rd offsets read “00 00″.
Posted in 0 - Forensics, EnCase, Video Guides. Tags: , , , , , . 3 Comments »

3 Responses to “Forensics: What happens when files are deleted?”

  1. Forensics: NTFS Deleted Entry « Data – Where is it? Says:
    May 10, 2009 at 7:58 am

    […] NTFS Deleted Entry Posted on April 28, 2009 by Rob When a file is deleted in NTFS, it is marked as deleted within the MFT entry for that […]

    Reply
  2. Forensics: What is the $MFT? « Data – Where is it? Says:
    June 5, 2009 at 11:19 pm

    […] for computer forensics investigators, as it effects the recovery of data and identification of deleted files. When a file is deleted the MFT entry is marked as ready to be re-used. This entry will continue […]

    Reply
  3. Sam Bruton Says:
    December 14, 2012 at 4:05 pm

    When referring to the 22nd and 23rd bytes to see is the file is set to active or deleted, how do you know which files would this relate to because not all the data may be deleted?

    Reply

Leave a comment

«

»