Probably the most import element of the NTFS file system is the Master File Table (MFT) structure. This is the block of data that stores information on every file. It contains the file name, dates, size and location on the disk. An MFT entry is normally 1024 bytes long, which means that at times, the file data for a short file (maybe less than 500 bytes) can be stored in this dirctory element, so avoiding having to allocate a 4K area of disk for a small file.
The MFT is made up of several elements, and the most important for receovery purpose are the file allocation locations, file name and the date metadata. On an NTFS disk, the file allocation informtion gives a starting location, and then the number of clusters in the data run. For fragmented files, there are extra staring locations (actually relative locations to the previous start). Occasionally, all the file information can not be fitted into a single 1024 block, so there is a system for chaining multiple MFT blocks.
Analysing the MFT by hand is not easy, so CnW Recovery have added a feature into the software so that an MFT sector is viewed, then moving the mouse over the data will display the decoded information. For more details, click here www.cnwrecovery.com/html/mft_parse.html.
No comments:
Post a Comment