When files are stored on a Windows computer using the NTFS file system, such as images or documents, physical clusters are allocated to the file and the location of the clusters containing the file are recorded within the Master File Table (MFT) that is maintained by the operating system.
The NTFS file system is journaling and uses an NTFS $Logfile to record the changes to the volume it is contained on.
The Master File Table (MFT) is located at the beginning of the volume and provides an ‘index’ of all live and active data that is present on the drive. These files are referred to as existing in the live clusters of that drive.
When the file is required, the location of it is identified from the Master File Table (MFT) and recovered without needing for the entire content of the drive to be searched.
If the file is later required for use, its location on the drive is read from the MFT and speedily recovered without the need for searching throughout the entire contents of the drive. Such files are referred to as existing in ‘live’ clusters.
If a file is deleted by the system or manually by the user, the data relating to it is not removed from the device, however, the entry relating to the file is altered within the Master File Table (MFT) and the space previously allocated to the file within the MFT and the data relating to the file itself becomes available for a new entry and data to be stored.
If the entry within the Master File Table (MFT) is used then the data relating to the old file becomes ‘unallocated’ but can still be recovered using specialist software (such as the software used as part of Computer Forensic Investigations).
When the data relating to the old file is overwritten by a new file then the old file is no longer recoverable even with specialist software.
https://athenaforensics.co.uk/
https://athenaforensics.co.uk/service/computer-forensic-experts/
https://athenaforensics.co.uk/service/mobile-phone-forensic-experts/
