On a Windows 7 (NTFS) system, if I take a copy of file A via "copy and paste" to a new file (file B), then after making changes to file A, subsequently copy file B back to file A (overwriting it), what happens? Do the same clusters originally used by file A get overwritten by the content of file B, or would different cluster be used, leaving the file A in unallocated, and therefore recoverable?
Basically, what I'm asking is whether copying a file to an existing filename destroys the content in the original file or whether the original contents would remain in unallocated clusters?
Thank you
What happens when you try this yourself?
Seriously. Download and install AccessData's FTK Imager (free tool) on your system.
Launch FTK Imager and extract the MFT for the volume where you're going to run your test (C\, D\, whatever). Parse the MFT and locate File A, noting the record and sequence number. Close FTK Imager.
Perform the test, and then open FTK Imager again, and add the local volume where you performed the test. Go to the folder in question, and see what the contents of File A's file slack looks like. Then extract the MFT and parse it again, looking for File A. You can confirm the activity (copy-paste operations) through analysis of the USN Journal.
HTH
If you want to know the specifics that neither $MFT or $UsnJrnl will give you, then grab https://