Abstract

Data storage devices use a specific structure when storing or accessing the stored data. This is called file system. Before beginning to store data in the data storage device, it must be formatted absolutely. While this data storage device is being formatted, the file system should be selected.NTFS, the most commonly used file system, keeps the files in the disk as a list in the MFT (Master File Table) file. Even if the file is deleted, the file record in this table will not be deleted. The physical location of the file can be found by looking at these MFT records.In this study, computer software was created on the basis of restoring the disk using a MFT file of the NTFS file system, and the result was examined.When national studies are examined, data recovery programs on the market are compared with each other. When international studies are examined, it is seen that NTFS and MFT concepts are explained but data recovery method using MFT records is not examined in detail.

References

[1] Merrick, J. (2012, December 24). An Introductory Guide to Data Recovery. Retrieved October 03, 2018, from https://computers.tutsplus.com/tutorials/an-introductory-guide-to-datarecovery--mac-44549
[2] Naiqi, L., Zhongshan, W., Yujie, H. and Ke, Q. (2008). Computer forensics research and implementation based on NTFS file system. Proceedings - ISECS International Colloquium on
Computing, Communication, Control, and Management, CCCM 2008, 1, 519–523. doi:10.1109/CCCM.2008.236
[3] Mahant, S. H. and Meshram, B. B. (2012). NTFS Deleted Files Recovery: Forensics View. IRACST -International Journal of Computer Science and Information Technology & Security, 2(3), 491–497.
[4] Ravindra, P., Kalal, R., Soumya and Mandal, V. (2013). Logical data recovery technique for USB devices. Proceedings - 2013 International Conference on Emerging Trends in
Communication, Control, Signal Processing and Computing Applications, IEEE-C2SPCA 2013, 3–8. doi:10.1109/C2SPCA.2013.6749447
[5] Default cluster size for NTFS, FAT, and exFAT. (n.d.). Retrieved March 24, 2018, from https://support.microsoft.com/en-us/help/140365/default-cluster-size-for-ntfs-fat-and-exfat
[6] How NTFS Works: Local File Systems. (n.d.). Retrieved March 24, 2018, from https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server2003/cc781134(v=ws.10).
[7] Carrier B. File system forensic analysis. Addison-Wesley; 2005. pp. 71-72.
[8] Disk Concepts and Troubleshooting. (n.d.). Retrieved March 24, 2018, from https://technet.microsoft.com/en-us/library/cc977221.aspx.
[9] Carrier B. File system forensic analysis. Addison-Wesley; 2005. pp. 201.
[10] Russon, R. Concept - Attribute Header. (n.d.). Retrieved March 24, 2018, from https://flatcap.org/linux-ntfs/ntfs/concepts/attribute_header.html.
[11] MBR and GPT Disks. (n.d.). Retrieved March 25, 2018, from http://www.cse.scu.edu/~tschwarz/coen252_07Fall/Lectures/NTFS.html.
[12] Russon, R. Concept - Data Runs. (n.d.). Retrieved March 25, 2018, from https://flatcap.org/linux-ntfs/ntfs/concepts/data_runs.html.
[13] Russon, R. NTFS - Attributes. (n.d.). Retrieved March 25, 2018, from https://flatcap.org/linuxntfs/ntfs/attributes/index.html.