Q

How FAT and NFTS differ

Learn how FAT and NFTS differ and uncover how these systems could have potential forensic implications on data recovery.

How do FAT file systems and NTFS file systems differ from one another, and what are the implications, if any, in regards to data recovery?
NTFS was designed to address many issues that surfaced with FAT; a number of which affect how evidence can be recovered from a hard disk drive in a forensic environment. For one, the MFT, or Master File Table (the NTFS version of FAT's File Allocation Table), typically exists in two copies on every NTFS volume, under the reserved filename $MftMirr. The duplicate MFT contains the first four records of the original MFT, in the event the original becomes damaged.

Another NTFS element that may have forensic implications is the presence of alternate data streams (ADS). ADS allows a file to be associated with more than one data batches on the disk (though the data in a file's ADS will be lost if it's moved to a non-NTFS volume). ADSes cannot be detected by a simple DIR command; they have to be revealed using specialized software.

To learn more about the potentially forensic implications, check out Microsoft's description of how NTFS works.

This was first published in May 2007

Dig deeper on Windows Server and Network Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

You will be able to add details on the next page.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close