A typical NTFS filesystem contains hundreds of thousands of files. Each file has its own $MFT entry, and all $MFT entries are given a sequential address starting from zero, zero being the $MFT entry itself.
File carving is the process of reassembling computer files from fragments in the absence of filesystem metadata.
The security researcher Marius Tivadar has discovered a vulnerability on Windows NTFS filesystem and published a proof-of-concept code on GitHub that could be used to cause Blue Screen of Death within seconds on most Windows computers.
Some information raised during preparation of GCFA exam The New Technology File System (NTFS) is a file system developed and introduced by Microsoft in 1995 with Windows NT as a replacement for the FAT file system. Versions Microsoft has released five versions of NTFS: v1.0: Released with Windows NT 3.1 in 1993. v1.0 is incompatible with […]
The most important file in a NTFS filesystem During a forensics analysis, after evidence acquisition, the investigation starts by doing a timeline analysis, that extract from the images all information on when files were modified, accessed, changed and created.