Is it possible under normal circumstances that the magic number portion of an MFT record is "\0\0\0\0" instead of "FILE"?
I ask because we seem to have encountered a disk where this is the case, even though all the literature I can find says that this magic number is required. The image in question still works in EnCase, so I've been wondering if a zeroed out magic number is not actually a problem.
Is it possible under normal circumstances that the magic number portion of an MFT record is "\0\0\0\0" instead of "FILE"?
Yes - this can happen. That MFT record was never written to/used
In this particular case there is a directory pointing to the record saying that the record contains a file, but the record itself doesn't start with FILE, which is what's confusing me.
In this particular case there is a directory pointing to the record saying that the record contains a file, but the record itself doesn't start with FILE, which is what's confusing me.
Ok - in that case that's unusual. You could consult the USN to see if this is a valid file? Or check the MFT allocation bitmap?