How FAT and NFTS differ

Learn how FAT and NFTS differ and uncover how these systems could have potential forensic implications on data recovery.

Serdar Yegulalp

Published: 17 May 2007

How do FAT file systems and NTFS file systems differ from one another, and what are the implications, if any, in regards to data recovery?

NTFS was designed to address many issues that surfaced with FAT; a number of which affect how evidence can be recovered from a hard disk drive in a forensic environment. For one, the MFT, or Master File Table (the NTFS version of FAT's File Allocation Table), typically exists in two copies on every NTFS volume, under the reserved filename $MftMirr. The duplicate MFT contains the first four records of the original MFT, in the event the original becomes damaged.

Another NTFS element that may have forensic implications is the presence of alternate data streams (ADS). ADS allows a file to be associated with more than one data batches on the disk (though the data in a file's ADS will be lost if it's moved to a non-NTFS volume). ADSes cannot be detected by a simple DIR command; they have to be revealed using specialized software.

To learn more about the potentially forensic implications, check out Microsoft's description of how NTFS works.

Dig Deeper on Windows Server troubleshooting

MFTRCRD64 Shows More NTFS Timestamps MFTRCRD64 Shows More NTFS Timestamps

Windows NTFS Tutorial This short tutorial provides links to resources breaking down how the NTFS file system works, with details on NTFS vs FAT32, recovery techniques and management best practices.

NTFS (NT file system; sometimes New Technology File System) NTFS (NT file system; sometimes New Technology File System) is the file system that the Windows NT operating system uses for storing and retrieving files on a hard disk.

How to determine whether Chkdsk is scheduled to run In this excerpt from Chapter 31 of the book "Windows Vista Resource Kit," the authors explain how to use Chkdsk to determine whether a volume is dirty and how to run Ckhdsk on NTFS volumes when working with Microsoft Vista.

master file table (MFT) The master file table (MFT) is a database in which information about every file and directory on an NT File System (NTFS) volume is stored... (Continued)

Free tool offers simple NTFS data recovery The tool FreeUndelete 2.0 allows the recovery of files deleted from NTFS volumes.

Related Q&A from Serdar Yegulalp

Even without an optical drive, data on a disc can be accessed

This week, our expert answers the question of how to get DVD data off a disc, even if the user's PC doesn't have an optical drive. Continue Reading

Can I plug a USB drive into a phone with a micro-USB connector?

This week, our expert answers a question on how to connect a phone or tablet to a USB drive with a micro-USB connector. Continue Reading

LibreOffice, OpenOffice are tempting but differ from Microsoft Office

Open source and free suites such as LibreOffice and OpenOffice could save organizations money, but not effort in comparison with Microsoft Office. Continue Reading

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

Meet all of our Windows Server experts

View all Windows Server questions and answers

SearchServerVirtualization

Understand and deploy IBM Cloud for VMware Solutions

The IBM-VMware partnership has provided a platform for admins committed to VMware technologies who also require cloud benefits ...

How AppDefense works to detect app and VM anomalies

AppDefense, a newer addition to the VMware security tool portfolio and part of the vSphere Platinum edition, helps organizations ...

Import and export Hyper-V VMs with Hyper-V Manager and PowerShell

When migrating VMs, admins can use Hyper-V Manager's export and import capabilities for small sets of VMs or PowerShell for ...

SearchCloudComputing

A primer on Alibaba Cloud for Western enterprises

When Western cloud users think of major cloud providers, it's typically the top three: AWS, Google Cloud Platform and Microsoft ...

AWS, Azure and Google peppered with outages in same week

Cloud outages hit AWS, Microsoft Azure and Google Cloud within the past week, an outcome that suggests customers must take a more...

Google to unveil post-Chronicle cloud cybersecurity plans

Google plans to discuss its cloud cybersecurity portfolio at a conference next week, with the capabilities developed by Chronicle...

SearchSQLServer

SQL Server database design best practices and tips for DBAs

Good database design is a must to meet processing needs in SQL Server systems. In a webinar, consultant Koen Verbeeck offered ...

SQL Server in Azure database choices and what they offer users

SQL Server databases can be moved to the Azure cloud in several different ways. Here's what you'll get from each of the options ...

Using a LEFT OUTER JOIN vs. RIGHT OUTER JOIN in SQL

In this book excerpt, you'll learn LEFT OUTER JOIN vs. RIGHT OUTER JOIN techniques and find various examples for creating SQL ...

SearchEnterpriseDesktop

Project Limitless' 5G PC and what desktop admins need to know

Qualcomm and Lenovo have partnered to produce a 5G-enabeled PC that could be a game-changer for remote workers. IT must prepare ...

Jamf Protect offers visibility, protection for macOS admins

Jamf Protect, the new endpoint security software announced at JNUC 2019, provides organizations with a native macOS tool that ...

Compare Windows 10 OS editions to determine the best fit

Organizations deploying Windows 10 must choose between multiple Windows 10 OS editions. Delve into the different features that ...

SearchVirtualDesktop

Compare offerings from 3 major desktop-as-a-service providers

Three desktop-as-a-service providers, Citrix, VMware and Microsoft, all offer virtual desktops as a part of their cloud services....

How to use VMware Horizon Performance Tracker

A good user experience is essential for VDI. Learn how to install and use VMware Horizon Performance Tracker to take the pulse of...

10 Microsoft Ignite 2019 sessions for VDI admins

VDI admins attending Microsoft Ignite 2019 could benefit from attending these 10 sessions. This guide can help to build a session...

How FAT and NFTS differ

Learn how FAT and NFTS differ and uncover how these systems could have potential forensic implications on data recovery.

Dig Deeper on Windows Server troubleshooting

Related Q&A from Serdar Yegulalp

Even without an optical drive, data on a disc can be accessed

Can I plug a USB drive into a phone with a micro-USB connector?

LibreOffice, OpenOffice are tempting but differ from Microsoft Office

Have a question for an expert?

Start the conversation

0 comments

Please create a username to comment.

-ADS BY GOOGLE

SearchServerVirtualization

Understand and deploy IBM Cloud for VMware Solutions

How AppDefense works to detect app and VM anomalies

Import and export Hyper-V VMs with Hyper-V Manager and PowerShell

SearchCloudComputing

A primer on Alibaba Cloud for Western enterprises

AWS, Azure and Google peppered with outages in same week

Google to unveil post-Chronicle cloud cybersecurity plans

SearchSQLServer

SQL Server database design best practices and tips for DBAs

SQL Server in Azure database choices and what they offer users

Using a LEFT OUTER JOIN vs. RIGHT OUTER JOIN in SQL

SearchEnterpriseDesktop

Project Limitless' 5G PC and what desktop admins need to know

Jamf Protect offers visibility, protection for macOS admins

Compare Windows 10 OS editions to determine the best fit

SearchVirtualDesktop

Compare offerings from 3 major desktop-as-a-service providers

How to use VMware Horizon Performance Tracker

10 Microsoft Ignite 2019 sessions for VDI admins

Dig Deeper on Windows Server troubleshooting

Related Q&A from Serdar Yegulalp

Have a question for an expert?

Start the conversation

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

Please create a username to comment.