← Back to blog

NTFS MFT vs FAT: what changed for forensics

· 3 min read

FAT (File Allocation Table) and NTFS solve the same problem — tracking which clusters belong to which file — but they answer it very differently. For a forensic analyst, the difference is the difference between "we know a file existed" and "we still know almost everything about it."

How FAT works

FAT keeps a single table where each entry maps one cluster to either:

  • the next cluster in the file
  • an end-of-chain marker
  • the value 0 meaning "free"

A separate directory entry pairs a filename with the first cluster. To read a file, you walk the chain. To delete one, FAT clears all the cluster entries to 0 and replaces the first character of the filename in the directory entry with 0xE5. The rest is left behind — but only the rest, because the chain itself is destroyed: you can recover the first cluster and parts of the filename, but the linkage to subsequent clusters is gone.

This is why FAT recovery tools struggle on fragmented files. They can find fragments; they cannot reassemble them.

How NTFS works

NTFS replaces the allocation table with the Master File Table — a single file where every other file has at least one 1,024-byte record describing it. Each record is a small container with typed attributes: $STANDARD_INFORMATION, $FILE_NAME, $DATA, $INDEX_ROOT, and more.

Critically, $DATA does not point at a single first cluster. It carries a complete runlist — a sequence of (start cluster, length) pairs covering every fragment of the file. Deleting a file does not break that list.

What changes for forensics

  • Deleted files retain their runlist until the MFT slot is reused, so even badly fragmented files can be reconstructed.
  • Eight timestamps per record (four in SI, four in FN) provide cross-checks that FAT cannot offer.
  • Resident data for small files means recovery without ever touching the data area.
  • Journals ($UsnJrnl, $LogFile) provide an audit trail that FAT does not record.

If you have a choice between a FAT image and an NTFS image of the same incident, the NTFS one will almost always answer more questions.

Where you still meet FAT

FAT is not dead. You will still see it on:

  • USB sticks formatted at the factory
  • The EFI system partition on most Windows installs
  • SD cards from cameras and embedded devices

But for the OS volume on any modern Windows machine, you are looking at NTFS — and $MFT is the place to start.

Related posts

External resources