<p>The following scenario demonstrates a potentially confusing situation you might face as an investigator. Knowing extensively the NFTS internals will help you to reach at valid conclusions.</p> <p>Assume that you have located a deleted suspicious file called <strong>showme.jpg.exe</strong> relevant to your case in a NTFS formatted volume. You go to its $MFT record entry, you verify that metadata match and entry flag is unallocated. However, surprisingly you discover that there is only one $DATA resident attribute with content having<br /> [ZoneTransfer] </p> <p>ZoneId=3 </p> <h3>What are your next steps as an investigator?</h3>