SANS Digital Forensics and Incident Response Blog: Daily Archives: Oct 15, 2012

Resident $DATA Residue in NTFS MFT Entries

Hal Pomeranz, Deer Run Associates I came across a small but interesting artifact in the course of a recent investigation. Quick Google searching failed to find any documentation elsewhere, so here's a brief summary of my findings. The bottom line is that residue of old resident $DATA entries may exist in NTFS MFT records after … Continue reading Resident $DATA Residue in NTFS MFT Entries