Forensics: Resident Data

March 31, 2009 — 585

What is resident data? Resident data is when the data for a file is within the MFT entry, rather than out in the rest of the file system.

Non-resident data is the exact opposite.

As the MFT entry is, as standard 1024 bytes long, and the metadata about the file, name, dates, etc, takes up around 500 bytes of space this means that there is 500 bytes of space in the MFT to describe the location of the file (i.e the data run). However if the file is less than 500 bytes (common examples are cookies) then the file system will place the file inside the MFT, rather than using data runs to decribe where it is.

On a normal PC the vast majority of data is non-resident.

Resident data can be particular interesting computer forensics examiners if the file is deleted and the resident entry then becomes MFT slack

Posted in 0 - Forensics, File Systems. Tags: , , , . 1 Comment »

One Response to “Forensics: Resident Data”

  1. MFT Slack « Data - Where is it? Says:
    March 31, 2009 at 10:21 am

    […] Commonly the MFT slack contains the contents of the MFT entry before it was created, this can be particularly interesting for computer forensic examiners if there was resident data. […]

    Reply

Leave a comment

«

»