Clear all

NTFS Metadata

3 Posts
2 Users
ray m
Posts: 18
Eminent Member
Topic starter

Hello everyone,

I have a question regarding file metadata. Let's say I wanted to examine all metadata associated with a specific file stored on a Windows 10 machine with NTFS. In which locations would I have to look to make sure I would obtain all of this metadata?

First of all, I would of course examine the file's internal metadata. Afterwards I would use a tool to look at the data which is stored inside the Master File Table. Aside from those two locations, do you happen to know of any other places where file metadata would be stored? What kind of metadata would be stored in those locations and of what use would it be from a forensic point of view?


Thank you very much in advance


Posted : 26/09/2022 11:59 am
Posts: 570
Honorable Member


I think you have most bases covered between internal metadata and external metadata found in the registry.

The only other location I can think of would be system files related to the file itself, such as $I files (if the file had been deleted), or $S files which are temporary files generated when a file is opened in a Windows environment.

Posted : 26/09/2022 9:57 pm
ray m reacted
ray m
Posts: 18
Eminent Member
Topic starter


Thank you very much for your reply!

I have two follow-up questions that I would like to ask:

1. Are those two system files you mentioned the only ones you think of? If not, might there be a list of those files obtainable somehwere?

2. Since you mentioned the registry and I honestly have very little experience with it, I'd like to ask a question concerning it that interests me as well (but goes into a slightly different direction than the one in my original post): as I understand it, the primary use of analyzing the registry would be obtaining information about actions executed on the specific device at hand. Now, if I wanted to analyze the origin of a specific file instead, would the registry contain any such information? I'm thinking about more specific information than just 'copied from thumb drive X' or 'saved from e-mail client Y'; to be precise: I would like to find out on which machines a file that has been downloaded via an e-mail client has been previously stored on and who accessed it (prior to being downloaded; some kind of usage / across-device-communication history, so to speak). From what I know, this question might sound naive, but in case there exists any such information - or other information useful for that matter - I would be very interested to know about it.

Posted : 27/09/2022 12:04 pm
Share to...