Sign In
In this module

Deleted File Recovery from MFT

14 hours · Module 1 · Free
Operational Objective
File deletion in NTFS is a metadata operation, not a data destruction operation. When a user deletes a file — even from the Recycle Bin — NTFS marks the MFT entry as free, removes the file's entry from the parent directory index, frees the file's clusters in the volume bitmap, and logs the operation in the USN Journal. What NTFS does not do is zero the MFT record, zero the directory index entry, or zero the data clusters. Every component of the deleted file persists in its original location until overwritten by new data. This creates a recovery window whose duration depends on volume activity, storage type (HDD vs SSD), and the specific component being recovered. MFT-based recovery — recovering file metadata and potentially file content from the MFT record itself — is the most reliable form of deleted file recovery because MFT entries are overwritten only when a new file is allocated to the same entry, and the MFT is stored in a contiguous region of the volume that is not subject to SSD TRIM. This subsection teaches the complete deleted file recovery methodology from MFT data: identifying recoverable entries, extracting metadata, recovering resident file content, assessing non-resident data recoverability, and documenting recovery findings for forensic reports.
Deliverable: Ability to identify deleted file MFT entries, extract recoverable metadata (filename, timestamps, parent directory, file size), recover resident file content directly from MFT records, assess non-resident data recoverability using volume bitmap analysis, and document recovery methodology and confidence for forensic reports.
Estimated completion: 40 minutes
DELETED FILE RECOVERY — WHAT PERSISTS AFTER DELETION MFT RECORD Recovery: HIGH ✓ Filename (from $FN attribute) ✓ All 8 timestamps ($SI + $FN) ✓ Parent directory reference ✓ File size and flags ✓ Resident data (files < ~700B) ✓ Data run list (cluster locations) Persists until MFT entry reallocated $I30 DIRECTORY INDEX Recovery: MODERATE ✓ Filename (copy from index entry) ✓ $FN timestamps (copy in entry) ✓ MFT entry reference ✓ File size at time of indexing ✗ No file content ✗ No $SI timestamps Persists in $I30 slack until overwritten DATA CLUSTERS Recovery: VARIES HDD: data persists until cluster reused SSD: TRIM may zero clusters quickly Fragmented: partial recovery possible Encrypted: requires user key for EFS Compressed: needs decompression Persists until clusters allocated to new file RECOVERY DECISION TREE 1. Is MFT entry still free (flags 0x00)? → YES: full metadata recovery. Check if $DATA is resident → content recovery. 2. MFT entry reallocated? → Check $I30 slack in parent directory for filename/timestamp recovery. 3. Need file content (non-resident)? → Check volume bitmap for cluster allocation status. HDD: likely intact. SSD: verify cluster content. SSD TRIM — THE RECOVERY KILLER When NTFS frees clusters, it sends TRIM commands to the SSD controller. The controller may zero the underlying flash blocks at any time. TRIM does NOT affect MFT records — the MFT is in a fixed region not subject to TRIM. MFT-based metadata recovery works on SSDs. TRIM DOES affect data clusters — non-resident file content may be zeroed within minutes of deletion on SSDs. Critical implication: on SSDs, MFT metadata recovery is often the ONLY recovery available. Content recovery requires HDD or pre-deletion backup.

Figure WF1.10 — Three sources of deleted file evidence and their recovery characteristics. MFT records provide the most complete metadata recovery. $I30 directory slack provides backup filename/timestamp evidence. Data clusters provide content recovery but are vulnerable to SSD TRIM and cluster reallocation.

Identifying deleted entries in MFTECmd output

MFTECmd marks deleted MFT entries in its output with the InUse column set to False. These entries have the record flags set to 0x00 (deleted file) or 0x02 (deleted directory) in the MFT record header. Every deleted entry in MFTECmd output is a potential recovery candidate — the filename, timestamps, parent path, and file size are available for analysis.

To find deleted entries systematically: load the MFTECmd output in Timeline Explorer, filter the InUse column for False, and sort by Created0x10 or Created0x30 descending (most recently created files first). Recently created files that have been deleted are often the most forensically interesting — malware that was deployed and then cleaned up, documents that were copied and then deleted from the staging location, or temporary files created during an attack that the attacker removed.

The sequence number on each deleted entry indicates how many times the MFT entry has been recycled. A deleted entry with sequence number 2 (allocated once at seq 1, freed at seq 2) is in its first free state — the metadata belongs to the one and only file that ever used this entry. A deleted entry with sequence number 14 has been through multiple allocation cycles — the metadata belongs to the most recent file that used the entry (the one freed at sequence 13 or 14, depending on the increment pattern).

Not all deleted entries are complete. If the entry was partially overwritten by a subsequent allocation that was itself deleted, the attributes may be damaged. MFTECmd handles most partial records gracefully — it extracts whatever attributes are parseable and flags incomplete records. But for critical evidence, always verify the raw hex to confirm the attributes are intact.

Compliance Myth: "Forensic imaging should happen within 24 hours because deleted file evidence degrades quickly"
The rate of evidence degradation depends on volume activity, not elapsed time. A server with constant file creation and deletion may reallocate MFT entries and overwrite clusters within hours. A workstation that is powered off at the end of the investigation day retains all evidence indefinitely — nothing changes while the system is off. A workstation that remains in use but isn't creating many new files may retain deleted MFT entries for weeks. The recommendation should be "image as soon as practical and minimize use of the evidence system" rather than an arbitrary 24-hour deadline. The urgency is proportional to the volume activity: high-activity systems (servers, shared workstations) should be imaged immediately, while low-activity systems (the suspect's laptop held by HR) can wait if necessary, though sooner is always better.

Recovering resident file content

For deleted files under approximately 700 bytes, the $DATA attribute is resident — the file's content is stored directly in the MFT record. When the file is deleted, the MFT entry is marked as free but the content remains in the record's $DATA attribute. This content is recoverable until the MFT entry is reallocated.

The recovery process: identify the deleted entry in MFTECmd output (InUse = False, file size under 700 bytes). Calculate the MFT record offset (EntryNumber × 1,024). Open the raw MFT in HxD. Navigate to the calculated offset. Walk the attribute chain to locate the $DATA attribute (type 0x80). Verify the non-resident flag is 0 (resident). Read the content offset and content size from the attribute header. Extract the specified bytes from the content area.

The extracted bytes are the literal file content. For a text file, the bytes are the ASCII or UTF-8 text. For a batch script, the bytes are the script commands. For a small configuration file, the bytes are the configuration data. No decoding or reconstruction is needed — the content is complete and intact.

MFTECmd does not export resident data content in its standard CSV output. To recover resident content, manual extraction from the raw MFT is required. Future tool versions may add this capability, but as of 2026, resident data recovery is a manual hex analysis task — which is why the binary analysis skills taught in WF1.1 through WF1.4 are essential.

Small files that are commonly resident and forensically valuable when recovered from deleted entries: PowerShell scripts (.ps1), batch files (.bat, .cmd), small configuration files (.cfg, .ini, .conf), text notes (.txt), CSV data snippets, small XML files, and registry export snippets. In the ransomware scenario (INC-NE-2026-1022), the attacker may have used a small batch script to deploy the ransomware across multiple hosts — that script, deleted after execution, may be recoverable from its MFT record if the entry hasn't been reallocated.

Assessing non-resident data recoverability

For deleted files larger than approximately 700 bytes, the content is stored in clusters on disk. The MFT record's $DATA attribute contains the data run list that maps the file's logical extent to physical clusters. When the file is deleted, the clusters are freed in the volume bitmap but the data persists in the clusters until overwritten.

The recoverability assessment depends on three factors:

Volume bitmap status. Check whether the file's clusters are still marked as free (unallocated) in the volume bitmap ($Bitmap, MFT entry 6). If free, no new data has been written to those clusters since deletion. If allocated, a new file has been assigned those clusters and the original data is partially or fully overwritten.

Storage type. On HDDs, freed clusters retain their data indefinitely until overwritten. On SSDs with TRIM enabled (default on Windows 10/11), the SSD controller may zero freed blocks at any time after the TRIM command. The TRIM command is sent when NTFS frees the clusters — meaning the zeroing can begin within seconds of deletion. On SSDs, even if the volume bitmap shows the clusters as free, the actual flash blocks may already be zeroed.

Fragmentation. If the file's data runs show contiguous clusters, recovery is all-or-nothing — either the entire cluster range is intact or it's been overwritten. If the file is fragmented across multiple non-contiguous runs, each run must be assessed independently. Some runs may be intact while others are overwritten, producing partial recovery.

Decision point

You find a deleted executable (47 KB) in a temporary directory on the suspect's SSD-based workstation. The MFT entry is still free (InUse = False) and the $DATA attribute's data run list shows the file occupied clusters 180,000–180,011 (12 clusters × 4 KB = 48 KB). The volume bitmap shows these clusters are free (unallocated). The file was deleted 6 hours ago. The workstation has been running continuously since deletion.

Your options: (A) The volume bitmap confirms the clusters are free, so no new data has overwritten them. Extract the clusters and recover the executable. (B) The workstation has an SSD with TRIM enabled. Six hours is more than enough time for the SSD controller to have zeroed the freed blocks. Extract the clusters but verify they contain actual data (non-zero content) before concluding recovery is successful. If the clusters are zeroed, document that SSD TRIM has destroyed the file content and the metadata from the MFT record (filename, timestamps, parent directory, file size) is the only available evidence.

The correct approach is B. On an SSD, TRIM commands are sent when clusters are freed. The SSD controller's garbage collection may zero the underlying flash blocks at any time — typically within minutes for modern NVMe SSDs, though the exact timing varies by controller firmware. Always verify the cluster content before claiming successful recovery on SSD evidence. If the clusters are zeroed, your report should state: "The file's MFT metadata is intact (filename, timestamps, parent directory, 47 KB size). The file's data clusters have been zeroed by SSD TRIM, and the file content is not recoverable from this evidence source. Alternative recovery sources include Volume Shadow Copies (if available), backup systems, and the USN Journal for file operation evidence."

Recovery from the Recycle Bin

Before a file reaches the "permanently deleted" state, it typically passes through the Recycle Bin — the $Recycle.Bin directory. When a file is sent to the Recycle Bin (not Shift+Delete), NTFS renames it with a $R prefix followed by a random identifier, and creates a companion $I file containing the original path, original filename, deletion timestamp, and file size.

The $I file is a small binary structure: a header (version, file size, deletion time) followed by the original path in Unicode. RBCmd (Eric Zimmerman's Recycle Bin parser) extracts this information. The $R file is the actual file content, renamed but otherwise intact.

When the Recycle Bin is emptied, both the $I and $R files are deleted — but they follow the same deletion lifecycle as any other file. The MFT entries for the $I and $R files are freed, the clusters are released, and the data persists until overwritten. An examiner can recover the $I file from its freed MFT entry to determine the original filename and deletion timestamp, and potentially recover the $R file content from its freed clusters.

MFTECmd shows Recycle Bin files in its output — look for entries in the $Recycle.Bin parent path with $I and $R prefixed filenames. The $I files are small enough to be resident (under 700 bytes), making their content recoverable from the MFT even after the Recycle Bin has been emptied.

Try it: Identify and assess deleted file recovery candidates

Using MFTECmd output from the lab evidence:

1. Filter for deleted entries (InUse = False). Count the total number of recoverable deleted records. 2. Filter further for deleted entries with file size under 700 bytes. These are resident data recovery candidates. Identify any with interesting filenames (scripts, configuration files, text notes). 3. Filter for deleted entries with file size over 1 KB. These are non-resident files requiring cluster-level recovery. Sort by Created0x30 descending to find the most recently created (and therefore most likely recoverable) deleted files. 4. Identify deleted entries in the $Recycle.Bin path. Match $I and $R files by their random identifiers. The $I files contain the original path and deletion time. 5. For one resident deleted file (under 700 bytes), calculate its MFT offset (EntryNumber × 1,024), open the raw MFT in HxD, walk to the $DATA attribute, and extract the resident content. Verify the content makes sense for the file type (text is readable, scripts contain commands). 6. Document your findings: total deleted entries, resident recovery candidates, non-resident recovery candidates, Recycle Bin entries, and the content of the resident file you recovered.

Documenting recovery methodology

When including recovered deleted files in a forensic report, document five elements to establish the recovery's reliability:

The source. Which MFT entry, at which sequence number, with which allocation status (free, allocated, partially overwritten). "MFT entry 38,271 (sequence 6, flags 0x00 — not in use)."

The recovery method. How the data was extracted — MFTECmd parsing for metadata, manual hex extraction for resident content, cluster extraction for non-resident content. "Resident file content (412 bytes) extracted manually from the MFT record at offset 0x254FC00, $DATA attribute content area."

The integrity verification. How you confirmed the recovered data is intact — attribute chain validation, content consistency check, hash of extracted content. "The $DATA attribute header is intact (type 0x80, length 0x1C8, non-resident flag 0, content size 412). The extracted 412 bytes parse as valid ASCII text consistent with a Windows batch script."

The confidence assessment. Your assessment of the recovery's reliability based on the entry's allocation status and the data's integrity. "Recovery confidence: HIGH. The MFT entry is in a free state with intact attributes. The resident data is complete and parses correctly. No evidence of partial overwriting."

The limitations. What the recovery does not provide. "This recovery provides the file's content, name, timestamps, and parent directory at the time of deletion. It does not establish which user created or deleted the file — that determination requires correlation with authentication events and Prefetch data."

You find a deleted file "deploy_ransomware.bat" (267 bytes) in MFTECmd output. The entry is free (InUse = False), sequence number 4. The file was in C:\Windows\Temp\. You navigate to the MFT record in HxD and find the $DATA attribute with non-resident flag = 0, content size = 267 bytes. You extract the content and it reads as a valid batch script containing `psexec \\SRV-NGE-FS01 -c C:\ProgramData\Updates\locker.exe`. What is the forensic significance and how do you report it?
The file is interesting but the recovery is unreliable because sequence number 4 means the MFT entry has been reused multiple times — the batch script may be from a previous occupant, not the most recent file.
This is a high-confidence recovery of the ransomware deployment script. The entry is free (current metadata belongs to the most recently deleted file). The resident content is fully intact (267 bytes, parses as a valid batch script). The script reveals the deployment method (PsExec to SRV-NGE-FS01) and the ransomware executable location (C:\ProgramData\Updates\locker.exe). Report as: "Recovered deleted batch script from MFT entry [N], sequence 4, free state. Content is 267 bytes of resident data extracted from the $DATA attribute. The script executes PsExec to deploy locker.exe to the file server. Recovery confidence: HIGH — intact resident data in a free MFT entry. Corroborate with Prefetch (cmd.exe execution at the deployment time), Event Logs (PsExec service creation on SRV-NGE-FS01), and the locker.exe entry in MFT for the ProgramData directory."
The batch script should not be included in the report because deleted file evidence is not admissible — only active files on the system at the time of imaging can be presented as evidence.
The sequence number 4 indicates this is the fourth version of a file at this MFT entry. The previous three versions may have contained different script content, so you need to recover all four versions before drawing conclusions.
Operational Artifact — Deleted File Recovery Methodology and Documentation Template
This subsection provides the complete methodology for identifying, recovering, and documenting deleted files from MFT data. The recovery decision tree (MFT entry status → resident vs non-resident → cluster allocation → SSD TRIM assessment) should be applied systematically to every deleted file of investigative interest. For resident files under 700 bytes, manual extraction from the raw MFT provides complete content recovery independent of cluster status. For non-resident files, cluster-level analysis is required with SSD TRIM consideration. Document every recovery with five elements: source, method, integrity verification, confidence assessment, and limitations. This documentation standard ensures deleted file evidence is defensible under adversarial scrutiny and establishes the examiner's methodology as thorough and verifiable.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You've built the foundations of artifact-level forensic analysis.

WF0 gave you the taxonomy, NTFS architecture, and the five-step methodology. WF1 took you inside the MFT at the binary level — every attribute, every timestamp, every edge case. From here, every artifact category gets the same raw-first treatment.

  • WF2–WF10: every major Windows artifact decoded at binary level — USN Journal, Prefetch, Amcache, Shimcache, ShellBags, LNK, Jump Lists, SRUM, Event Logs, and the Registry hives
  • INC-NE-2026-0915 (WF13) — Insider data exfiltration capstone. Work the complete investigation from USB history to OneDrive exfiltration evidence
  • INC-NE-2026-1022 (WF14) — Ransomware capstone. Three-host triage (FIN01 → IT03 → FS01) across the 72-hour attack chain
  • The lab pack — 25+ realistic evidence files in 10 formats, simulated KAPE triage pre-populated, both capstones deployable to your own VM
  • Anti-forensic detection methodology — defeat timestomping, log clearing, and Prefetch deletion with cross-artifact correlation
Unlock with Specialist — £25/mo See Full Syllabus

Cancel anytime

← Previous Next →