Forensics: NTFS Deleted Entry

When a file is deleted in NTFS, it is marked as deleted within the MFT entry for that file. The clusters that were allocated to the fille are now marked as free, within the $BitMap

This is is shown at offset 22 for 2 bytes; i.e. bytes 22 and 23 of the MFT for that entry.

  • For an active file the 22nd and 23rd offsets read “01 00”  (though in tools like EnCase it will display 00 01 due to the big endian/little endian flip required.
  • For a deleted file the 22nd and 23rd offsets read “00 00”. Though the big endian/little endian conversion still applies it makes no difference in this case.

2 Responses to “Forensics: NTFS Deleted Entry”

  1. Forensics: What is the $BitMap? « Data – Where is it? Says:

    […] a file is deleted the cluster becomes unallocated or unused (allowing new data to overwrite it) and the bits go back […]

  2. Sam Bruton Says:

    When referring to the 22nd and 23rd bytes to see is the file is set to active or deleted, which files would this relate to because not all the data may be deleted on the NTFS.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: