Microsoft Corporation designed and developed NTFS (New Technology File System) in the early 1990’s as a replacement for the FAT (File Allocation Table) file system. FAT, although still used on some removable, has many limitations, particular for multiuser and server systems. When Windows NT 3.1 was released in 1993, it was developed with the ability to use the first release of NTFS.
The last major update for NTFS was introduced when Windows XP was released, enhancing the robustness of file system, also making data recovery a simpler task. A few minor additions have been made, such as allowing larger file sizes. With the now widespread use of NTFS, our data recovery engineers have a vast array of experience in recovering files following all different types of failures.
NTFS Data Volume Features
NTFS data partitions support a maximum cluster size of 64kB, limiting the maximum volume size to 256TB. Since the release of Windows 8, the maximum file size has been improved from 256TB to a theoretical 16EB. Compression using the LZNT1 algorithm can be enabled on a volume which can under certain circumstances improve data transfer speeds. Journaling is one of the most important features of NTFS, using transaction logs for all changes to the file system, allowing the file system state to be recovered in the instance of sudden power loss or a computer crash.
User quota can be enabled on the file system, particularly useful for multiuser and server systems. Sparse file handling enables a large file to be created instantly, removing the need to pre-allocate space on the disk, only using clusters once required. Alternate Data Streams (ADS) are another important feature, allowing additional information to be stored with a file, particularly useful when storing files from an Apple Mac system. Data encryption is available for Professional, Ultimate and Server versions of Windows.
Internal Data Structures of NTFS
One of the main features of NTFS is the Master File Table (MFT) which is used to store the metadata for all files and directory entries. Each entry in the MFT, a file itself, contains the name, date information, access control data, size and allocation information. Redundancy is used to store secondary copies of the first 32 entries of the MFT and the boot sector, enhancing the chances of recovering the file system.
Recovery from NTFS
NTFS is a highly recoverable file system due to the robust nature of the internal data structures, allowing the file system structure to be rebuilt, even if many sectors cannot be recovered. When Windows XP was released, all versions of NTFS added record numbers for entry with the MFT, improving the ability to recover data, even following the partition being reformatted. For the purpose of data recovery, directory index entries are not required, as the directory structure can be rebuilt from the MFT entries alone.
Lost files, as a result of damage to the file system can be recovered, in most cases fully intact. When a file is deleted, the MFT entry is marked using a flag and only reused when required, allowing many deleted files to also be recovered. The quality of deleted file recovery depends upon the amount of data and quantity of files written after the file was originally deleted. At DiskEng, our experience of NTFS suggests it to be one of the most robust and recoverable file systems currently in use.