Microsoft developed NTFS (New Technology File System) to replacement the FAT (File Allocation Table) file system. There were many inherent limitations in FAT, some of which were addressed to improve its usability, but by the 1990’s it was clear a newer more versatile, multi-user ready and reliable file system was required. With the release of Microsoft’s first multi-user operating system Windows NT 3.1 in 1993 the first version was introduced. The last major update of NTFS came with the release of Windows XP.
With the prevalence of Windows systems, NTFS is a commonly used filesystem. In Windows Server environments and from Windows XP onwards, NTFS has become the default filesystem of choice. There are many operating systems besides Windows capable of mounting a data volume, mainly for ease of fast file data transfer although rarely in a server environment. It is therefore common to see NTFS data volumes on both single disks and RAID array server environments arrive at our laboratory for data recovery.
NTFS Data Volume Features
The maximum volume size supported by an NTFS partition uses 264-1 clusters allowing a 256TB partition if the maximum cluster size of 64kB is used. In theory a maximum file size of 16EB is possible although this has been reduced to 256TB as of Windows 8. Data compression using the LZNT1 algorithm can be implemented to improve disk space usage can sometimes improve data throughput when reading data. Alternate Data Streams (ADS) are available, which were initially introduced to provide a means of implementing Services for Macintosh (SFM.) Sparse file allocation is implemented in NTFS allowing for the creation of large blank files almost instantaneously, without requiring on-disk file allocation first.
NTFS volumes use journaling, whereby all data changes are stored, so that following a system crash or power failure, uncommitted changes to critical data structures can be rolled back when the volume is remounted. Professional, Ultimate and Server editions of Windows allow data encryption to be set up. In common with most mainframe and Unix and server systems, disk quotas per user can be implemented on an NTFS volume.
NTFS Internal Data Structures
Metadata pertaining to file and directory including file name, file dates, access control information and size, are stored within the Master File Table (MFT,) a file in its own right opened when the file system is mounted. The first 32 MFT entries (usually 1kB each in size) are stored in two locations, which allows corruption of the first copy to be overcome; their locations are stored in the NTFS volume boot sector. A secondary copy of the boot sector is mirrored in the last sector of the partition.
NTFS is of a robust nature making it a highly recoverable file system, which can successfully be rebuilt even following the loss of a large number of the system data structures. To overcome a shortcoming in NTFS numbered records within the MFT were introduced in Windows XP, allowing the entries to be re-sequenced in the event of the loss of its allocation information. The MFT sequence numbers can be used following a file system being reformatted, to rebuild the directory structure and locate all recoverable files.
Lost files and directories can be scanned for during data recovery, the results of which are normally very good. Scanning the MFT for deleted files and directories may also yield good results, although it depends upon how much data has been written to the file system subsequent to the deletion of the files. Only in the rarest and most severe cases of data corruption or unreadable disk sectors, will the results of data recovery from NTFS be unsuccessful.