File Recovery software and Master File Table

Disk scan for deleted entries

Reference something newer that win2k

Consider the following input parameters:

Thus, we can iterate through all 1968 MFT records by starting from the absolute offset of 0x4000 on the volume and continue looking for deleted entries.

MFT entry 57 having offset 0x4000 + 57 * 1024 = 74752 = 0x12400 is of interest because it contains the recently deleted file "My Presentation.ppt"

MFT record number 57 is displayed below:

The MFT Record has a pre-defined structure. It has a set of attributes defining any file of folder parameters.

The MFT Record begins with standard File Record Header (first bold section, offset 0x00):

The most important information in this block is the file state: deleted or in-use. If the Flags field (in red) has bit 1 set, it indicates that file is in-use. In this example it is zero, i.e. file is deleted.

Starting at 0x48 is where the Standard Information Attribute begins (second bold section):

Following the standard attribute header, the File Name Attribute belonging to DOS name space, the short file names, (third bold section, offset 0xA8) and again following the standard attribute header, the File Name Attribute belonging to Win32 name space, the long file names, (third bold section, offset 0x120):

In this case, from this section, the file name, "My Presentation.ppt" can be extracted along with the File Creation and Modification times, as-well-as the Parent Directory Record number.

Starting at offset 0x188 is where non-resident Data attribute begins(green section).

This section reveals the Compression Unit size (zero meaning non-compressed), Allocated and Real size of attribute that is equal to the file size (0xDC00 = 56320 bytes), and Data Runs (see the next topic).

See also Example of scanning folder on FAT16