Understanding $DATA attribute

Created: Thursday, 20 September 2018
Updated: Thursday, 28 May 2026

The following scenario demonstrates a potentially confusing situation you might face as an investigator. Knowing extensively the NFTS internals will help you to reach at valid conclusions.

Assume that you have located a deleted suspicious file called showme.jpg.exe relevant to your case in a NTFS formatted volume. You go to its $MFT record entry, you verify that metadata match and entry flag is unallocated. However, surprisingly you discover that there is only one $DATA resident attribute with content having
[ZoneTransfer]

ZoneId=3

What are your next steps as an investigator?

VirusTotal Hashwindowsntfsraid EnCase6 unallocated policy MD5 directory entry $DATA forensics ntfsfat32CV recovered fileCV security file systems ADS $MFTpassword $mft

Password policies - Password creation

Designing a password policy for applications facing the internet has always been a hot issue. Basically, the decision to enforce a set of...

Recovering a deleted file from FAT32

Assume you use a forensic software that has recovered file system metadata of a deleted jpeg file from a FAT32 formatted volume with a cluster...

Reconstructing a RAID 5 that holds an NTFS volume without knowing its configuration.

To save readers' precious time I would like to emphasize the fact that that this guide applies in raids containing an NTFS formatted...

Questions on File Systems and Windows Forensics.

Below you will find questions that test your knowledge on this subject. I wrote them while I read material mainly from books in file systems...

VirusTotal EnCase6 Hash Set

For the examiners who wish to locate malware in EnCase 6 based on virus signature, I have downloaded the latest VirusTotal database and...

About

Professional Experience

Since March 2012, I have worked as a Digital Forensics Examiner, handling a...

Built with...

In May 2026, all backend libraries are updated, and the site moved to python3.14 rutime.

In March 2026, all backend and client...

© 2012 - 2026 Armen Arsakian updated atThursday 28 May 2026Contact: contact at arsakian.com

-3255 . 5202