Problem solve
Get help with specific problems with your technologies, process and projects.
How FAT and NFTS differ
Learn how FAT and NFTS differ and uncover how these systems could have potential forensic implications on data recovery.
How do FAT file systems and NTFS file systems differ from one another, and what are the implications, if any, in regards to data recovery?
NTFS was designed to address many issues that surfaced with FAT; a number of which affect how evidence can be recovered from a hard disk drive in a forensic environment. For one, the MFT, or Master File Table (the NTFS version of FAT's File Allocation Table), typically exists in two copies on every NTFS volume, under the reserved filename $MftMirr. The duplicate MFT contains the first four records of the original MFT, in the event the original becomes damaged.
Another NTFS element that may have forensic implications is the presence of alternate data streams (ADS). ADS allows a file to be associated with more than one data batches on the disk (though the data in a file's ADS will be lost if it's moved to a non-NTFS volume). ADSes cannot be detected by a simple DIR command; they have to be revealed using specialized software.
To learn more about the potentially forensic implications, check out Microsoft's description of how NTFS works.
Start the conversation
0 comments