Authors: Anish Kumar, Sourav ray, Ambrose Henrey Mwikwabe, Shreya Gandh, Rohit Kumar Singh
Abstract: The New Technology File System (NTFS) is the default file system for modern Windows and contains rich metadata (journaling, security descriptors, etc.) that aids forensic investigations. Its Master File Table (MFT) holds records for every file (even deleted ones), while transactional logs ($LogFile and $UsnJrnl) record detailed changes . However, NTFS also offers covert storage (alternate data streams, directory $DATA, and boot record slack) and exhibits known integrity flaws. This paper reviews current NTFS forensic methods – including MFT parsing, journal analysis, and hidden-data detection 3 4 – and identifies weaknesses (e.g. limited $MFTMirror backup, unexamined boot sector areas 6). We propose novel recovery techniques: an enhanced boot-sector reconstruction algorithm (combining backup boot data with $LogFile-derived geometry) and an improved metadata restoration process that leverages $LogFile and signature scanning when the MFT is damaged. We demonstrate these on synthetic NTFS images and show improved recovery of system structures and hidden content compared to baseline tools. The contributions include new forensic workflows and illustrative diagrams of NTFS layout and analysis steps.
DOI: http://doi.org/10.5281/zenodo.17083346
