Forensics: Resident Data

What is resident data? Resident data is when the data for a file is within the MFT entry, rather than out in the rest of the file system.

Non-resident data is the exact opposite.

As the MFT entry is, as standard 1024 bytes long, and the metadata about the file, name, dates, etc, takes up around 500 bytes of space this means that there is 500 bytes of space in the MFT to describe the location of the file (i.e the data run). However if the file is less than 500 bytes (common examples are cookies) then the file system will place the file inside the MFT, rather than using data runs to decribe where it is.

On a normal PC the vast majority of data is non-resident.

Resident data can be particular interesting computer forensics examiners if the file is deleted and the resident entry then becomes MFT slack

Advertisements

One Response to “Forensics: Resident Data”

  1. MFT Slack « Data - Where is it? Says:

    […] Commonly the MFT slack contains the contents of the MFT entry before it was created, this can be particularly interesting for computer forensic examiners if there was resident data. […]


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: