Created: Thursday, 20 September 2018
Updated: Friday, 21 September 2018

The following scenario demonstrates a potentially confusing situation you might face as an investigator. Knowing extensively the NFTS internals will help you to reach at valid conclusions.

Assume that you have located a deleted suspicious file called showme.jpg.exe relevant to your case in a NTFS formatted volume. You go to its $MFT record entry, you verify that metadata match and entry flag is unallocated. However, surprisingly you discover that there is only one $DATA resident attribute with content having


What are your next steps as an investigator?


Built with...

In the latest Update (April 2023), this site was migrated to GAE standard environment using python3.10 rutime. All back end libraries have been...

© 2012 - 2023 Armen Arsakian updated atMonday 03 April 2023Contact: contact at

-2427 . 4374