When a file is deleted in NTFS, it is marked as deleted within the MFT entry for that file. The clusters that were allocated to the fille are now marked as free, within the $BitMap
This is is shown at offset 22 for 2 bytes; i.e. bytes 22 and 23 of the MFT for that entry.
- For an active file the 22nd and 23rd offsets read “01 00″ (though in tools like EnCase it will display 00 01 due to the big endian/little endian flip required.
- For a deleted file the 22nd and 23rd offsets read “00 00″. Though the big endian/little endian conversion still applies it makes no difference in this case.
