none
$MFT Change? RRS feed

  • Question

  • I have been studying Forensics and have encountered a problem with the $MFT file in Windows 7. I created a small text file and saved it to the root, which should appear as a resident file on the MFT, as it is under 1024 bytes. Howver, after copying the $MFT file and examining it in Win Hex, the newly created text file does not appear in the MFT, but is accessable and clearly in the c:/.

    After more investigation, it appeared that the $MFT file had not been modified since the clean install of Windows 7, though I have created numerous folders and files since install. All of which should appear in the $MFT either as a resident or non-resident file. I performed this same routine on an XP machine and was able to find the file in $MFT.

    How is 7 handling the file table differently than XP, as both use NTFS file system? Where is it located in Windows 7. Thanks in advance.

    Saturday, October 22, 2011 12:43 PM

Answers

All replies

  • Hi,

       This forum is not the correct one for your question.  This forum is for supporting Open Specification.  Your question is not related to the documentation.  Please repost your question on the following forum to get better help:

    http://social.technet.microsoft.com/Forums/en/w7itprogeneral/threads

     

    Thanks!

     


    Hongwei Sun -MSFT
    Saturday, October 22, 2011 3:27 PM
  • I can answer the question no matter if it is late. An MFT record is 1024 bytes, However at least about 150 bytes at least are required for basic file information. So the $MFT cannot be used to store a full 1024 bytes.It's some what smaller than that. A precise answer cannot be given because the amount os space is file type dependent.

    Renee


    "MODERN PROGRAMMING is deficient in elementary ways BECAUSE of problems INTRODUCED by MODERN PROGRAMMING." Me

    Sunday, June 17, 2012 8:55 AM