Hi everyone,
Got an NTFS question I can't seem to find an answer to. Mind helping me out?
With an NTFS file system, how does the system decide where to write the next file? I began wondering about this after explaining to someone that data carving only works if the deleted file is not yet completely overwritten, and they asked me "so when is it overwritten then". So I started wondering, will NTFS first use the larged consecutive space after all the other files, and only when that is full start writing in the smaller spaces freed by deleting files, or will it start filling up those smaller spaces right away?
I've tried googling this, but can't seem to find much info on this topic…
Thanks in advance!
Merdle
I am sure there is logic, but the answer is that it largely appears to be random. However, it does fill from the start of the disk.
The data carving problem is always an issue. Will a particular area be overwritten? A major problem with Windows is that many files are being written all of the time. If you leave a PC on for a day, you will almost certainly have a Microsoft update downloaded, updated Virus protection files etc. Some virus programs (eg Norton) will try and defragment the disk.
The answer to your question may also vary on the type of file written. If it is a known size, the operating system may work to try and fit it in a space. An unknown file, or a log that grows will often end up being fragmented, and stored in many areas of the disk. Looking at the location of file fragments may guide you towards an answer, but ultimately it is up to tyhe operating system to manage it's space as it feels like.
Check out Brian Carrier's book, but according to his experimentation, it follows a best-first available fit process, if the size is known and, if not, tries to estimate the final size of the file. The goal is to avoid fragmentation, where possible, so while it does fill from the start of the disk, it will skip over unallocated space which is smaller than what will be the estimated file size rounded to the last allocation block.
With an NTFS file system, how does the system decide where to write the next file?
Best-first-fit seems a very reasonably explanation. Although the actual allocation behavior is up to the operating system's NTFS driver and probably version dependent. The only way to know for sure is to test. Note that you're also dealing with other factors like a volume cache a file system journal, versioning (VSS), physical disk characteristics, e.g. solid-state disks drivers, etc.
The allocation behavior of a file also depends on its type, e.g. a PST file will grow in fixed size increments, where a TXT will not. And don't forget NTFS compressed files 😉
Excellent feedback, thanks everyone!