NTFS Volume

NTFS (New Technology File System) was developed by Microsoft as a replacement for the FAT (File Allocation Table) file system. By the 1990’s FAT was proving to have many limitations, some of which were addressed, to improve its usability, but a newer more versatile, multi-user ready and reliable file system was required. The first version was released in 1993 with Windows NT 3.1, with the last major update coming with the release of Windows XP.

Features of NTFS Data Volumes

The maximum cluster size supported by an NTFS partition is 64kB, with the maximum volume size (264-1 clusters) being 256TB. The theoretical maximum file size is 16EB, although as of Windows 8, it has been restricted to 256TB. The file system can be set up to allow data compression, which uses the LZNT1 algorithm, to improve disk space usage and in some instances improve data throughput when reading data. The use of Alternate Data Streams (ADS) is available, initially to provide a means of implementing Services for Macintosh (SFM.) Sparse file allocation is also available, which allows for the creation of large blank files almost instantaneously, without having to reserve the file allocation on disk first.

NTFS volumes also provide journalling, which stores copies of the data which is about to be moved or modified, so that in the event of a system crash or power failure, it allows the rollback of uncommitted changes to critical data structures when the volume is remounted. Data encryption is another available option for Professional, Ultimate and Server editions of Windows. In line with most mainframe and Unix systems, user quotas can be implemented on an NTFS volume.

NTFS Internal Data Structures

All file and directory meta-data, such as file name, file dates, access control information and size, are stored as meta information in the Master File Table (MFT,) itself a file, which is opened when the file system is mounted. Two copies of the first 32 MFT entries (usually 1kB each) are stored in two locations, allowing possible corruption of the first copy to be overcome; the locations of both are held in the NTFS volume boot sector. A copy of the boot sector is also held in the last sector of the partition.

Recoverability of NTFS

The robust nature of NTFS makes it a highly recoverable file system, which can be rebuilt successfully even with the loss of large sections of system data structures. The release of NTFS with Windows XP saw the introduction of numbered records within the MFT, which can be used to resequence the entries in the event of the loss of its allocation information. These can also be used in the event of reformatting the file system, in order to rebuild the directory structure and locate all recoverable files.

During normal data recovery analysis, it is possible to scan for lost files and directories, the results of which are usually very good. The result from scanning for deleted files and directories can yield good results, but it depends upon whether data was written to the file system subsequent to the deletion of the items in question. It is only in the rarest and most severe cases of data corruption or unreadable disk sectors, that the results of data recovery from from NTFS may be unsuccessful.

