Forensics: What happens when files are deleted?

The video below shows what happens when files are deleted on an NTFS partition.

When a file is deleted in NTFS, it is marked as deleted within the MFT entry for that file. The clusters that were allocated to the fille are now marked as free, within the $BitMap

This is shown at offset 22 for 2 bytes; i.e. bytes 22 and 23 of the MFT for that entry.

  • For an active file the 22nd and 23rd offsets read “01 00″  (in the video its flipped because of the big endian/little endian issue)
  • For a deleted file the 22nd and 23rd offsets read “00 00″.
Advertisements

3 Responses to “Forensics: What happens when files are deleted?”

  1. Forensics: NTFS Deleted Entry « Data – Where is it? Says:

    […] NTFS Deleted Entry Posted on April 28, 2009 by Rob When a file is deleted in NTFS, it is marked as deleted within the MFT entry for that […]

  2. Forensics: What is the $MFT? « Data – Where is it? Says:

    […] for computer forensics investigators, as it effects the recovery of data and identification of deleted files. When a file is deleted the MFT entry is marked as ready to be re-used. This entry will continue […]

  3. Sam Bruton Says:

    When referring to the 22nd and 23rd bytes to see is the file is set to active or deleted, how do you know which files would this relate to because not all the data may be deleted?


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: