We're talking about the NTFS file system. And in this module, we're going to talk about NTFS file creation and deletion. When a file or directory is created in NTFS, these are the steps that happened. A file record is created in the master file table for that file. The bitmap for the MFT record is changed to indicate the record is allocated. Now that's a bitmap relating to the MFT is going to show that that file record within the MFT is allocated. The record header allocation flag shows it as an allocated file or directory, depending on if it's a file or folder. The attributes are written to the FFT file record. If the data is non resident, the $Bitmap file is updated to represent the clusters allocated to store the data. So if it's non resident, the $Bitmap file, that system file we talked about at the beginning of this course, will be updated to represent the clusters are allocated to store the data. When a file is deleted, the record header sequence count, remember we talked about that sequence byte, that is increased by one. That happens when the file is deleted. The record header allocation flag, we're talking about the file record, indicates a deleted file or directory. That's what happens to the file record in the MFT. The bitmap for the master file table, the $MFT bitmap is changed to show that the file record within the MFT is now unallocated and able to be used. If the file data is non resident, not residing within the MFT, the $Bitmap file is updated to indicate the clusters are unallocated. The data itself does not become overwritten until if it's a resident file, the master file table entry is reused, or if it's non resident, the data is overwritten out on the drive. We're going to do a walkthrough. We're going to create a file and then delete it and the items we're going to need are going to be Active Disk Editor, NTFS VHD, and Windows Explorer. Okay, the first thing we're going to need to do for our walk through is attach our VHD. So we're going to go to Disk Management. Then we're going to go to Actions, Attach VHD. We're going to navigate out to where we saved our NTFS VHD. We're going to select it and hit Open. Once we're sure we have the right VHD, we're going to click OK and the VHD will mount. Once your virtual hard drive mounts, note the disk number and the drive letter, the volume we're going to use for this walk through is going to be the first NTFS volume on this drive which should be your second volume in, titled NTFS, and it should be 200 megabytes in size. So remember the drive letter. Mine is B but yours could be different. Then we're going to go ahead and create a file on that drive. So bring up your NTFSB in File Explorer and I've created a text document here called Delete Me.txt. To create a text document, all you have to do is right click New, Text Document, then name it Delete Me.txt. Once you've done that, go ahead and open it up and put some data in there. I just wrote, this is a file that I will delete. Then we will recover it later. You can write anything you want in there but just put some data in there and then hit File, Save, and then go ahead and close the file. Once you've done that, go ahead and open up Active Disk Editor. When Active Disk Editor launches you're going to go to open Disk and now we're going to go to Volumes in our selection bar next to Disk. We're going to select volumes and we're going to select that NTFS volume again, mine's B, yours could be different, and we're going to select open. Now when it opens up, it's going to take us to the volume boot record like it usually does but we want to browse the file records. So we're going to select browse file records right under the Edit button. And we're going to scroll down and we're going to find that Delete Me.txt and we're going to take a look at its file record for a minute. It starts with our S Key file, so we know we're looking at an NTFS file record. You can see the flags and the flags indicate that it is a allocated file. Hexi decimal 0 1 indicates it is in use and it is not a directory. So that indicates allocated file. So we could see that it's allocated, we could see the attributes, we could see the data attributes. We can see that in our case this is a resident data attribute and the data is there. This is a file that I will delete then we will recover it later. What I want you to do is note the sector number we're on. So go ahead and write that sector number down. 136 630 is what my sector number is. Yours may be different but just write your sector number down. Okay, now what we're going to do is we're going to is we're going to go ahead and close the volume. And we're going to close Active Disk Editor. We're going to bring up File Explorer again. Now we're going to highlight Delete Me.txt. We're going to hold down our Shift key. We're going to right click and we're going to delete this file. And it's going to ask you if you're sure you want to permanently delete it. And we're going to say yes. By holding down the shift key, we're bypassing the recycle bin. I'll show you it is not in the recycle bin. That's not the same file but it is not in the recycle bin. There's no Delete Me.txt in the recycle bin. Now what we're going to do is we're going to go ahead and go to Active Disk Editor. So we're going to relaunch Active Disk Editor. We're going to open disk again. We're going to select volumes. We're going to select our NTFS volume that we were working with before. We're going to click Open. Now we're going to, again, go to Browse File Records right under Edit. And we're going to scroll through and we no longer see Delete Me.txt. It's no longer listed here. So now we're going to navigate out to that sector. So we're going to go go to sector, And we're going to go ahead and type in the sector. And we're going to click OK. We can see it takes us out to a file record. So change your template to say NTFS MFT Record, highlight the F in file, right click and set template position. Now we can see the offsets in our file record. We can see that it's an AASCII file. We look at the flags now, the flags have changed. They're no longer 01, they're 00 which says it is not so it's able to be written to and it is not a directory. So it is an unallocated file at this point, deleted unallocated file. And we noticed the sequence byte has changed from 01 to 02 because we deleted it. So the sequence byte has implemented by one and the flags have changed. So in our next module, we're going to talk about how we would recover that file. But I just wanted to show you the changes that will happen in the MFT Record. Your sequence byte will increase by one and your flags will show that it is unallocated.
