sábado, 22 de outubro de 2011 12:43
I have been studying Forensics and have encountered a problem with the $MFT file in Windows 7. I created a small text file and saved it to the root, which should appear as a resident file on the MFT, as it is under 1024 bytes. Howver, after copying the $MFT file and examining it in Win Hex, the newly created text file does not appear in the MFT, but is accessable and clearly in the c:/.
After more investigation, it appeared that the $MFT file had not been modified since the clean install of Windows 7, though I have created numerous folders and files since install. All of which should appear in the $MFT either as a resident or non-resident file. I performed this same routine on an XP machine and was able to find the file in $MFT.
How is 7 handling the file table differently than XP, as both use NTFS file system? Where is it located in Windows 7. Thanks in advance.
Todas as Respostas
sábado, 22 de outubro de 2011 15:27Moderador
This forum is not the correct one for your question. This forum is for supporting Open Specification. Your question is not related to the documentation. Please repost your question on the following forum to get better help:
Hongwei Sun -MSFT
- Marcado como Resposta Hongwei Sun-MSFTMicrosoft Employee, Moderator sábado, 22 de outubro de 2011 15:28
domingo, 17 de junho de 2012 08:55
I can answer the question no matter if it is late. An MFT record is 1024 bytes, However at least about 150 bytes at least are required for basic file information. So the $MFT cannot be used to store a full 1024 bytes.It's some what smaller than that. A precise answer cannot be given because the amount os space is file type dependent.
"MODERN PROGRAMMING is deficient in elementary ways BECAUSE of problems INTRODUCED by MODERN PROGRAMMING." Me