NTFS File Activity Β· Deletion & Recovery

Windows File Activity, Deletion and Recovery Forensics

Reconstruct exactly which files were created, opened, modified, renamed, and deleted on a Windows computer β€” and recover deleted content from unallocated space, shadow copies, and the NTFS journal.

← Canonical HubThis page is part of the Windows Forensics cluster. Return to the hub for the full artifact index and cross-cluster context.

Quick Answer. NTFS file-activity forensics parses the Master File Table ($MFT), the USN change journal ($UsnJrnl:$J), the transaction log ($LogFile), shell-link files (*.lnk) in Recent\, per-application jump lists under AutomaticDestinations, RecentDocs in NTUSER.DAT, Office/Outlook MRU keys, Volume Shadow Copies, and unallocated space. Together these prove which files existed, when they were touched, which user touched them, and, in many cases, recover them after deletion.

The NTFS record set

ArtifactWhat it storesWhy it matters
$MFTOne 1024-byte record per file with $StandardInformation (SI) and $FileName (FN) timestamps, size, parent reference, and data runsGround truth of the file system; the SI/FN divergence detects timestomping
$UsnJrnl:$JRolling append-only journal of file changes (create, delete, rename, close, security change)Millisecond-resolution chronology of file activity; retains events long after files are gone
$LogFileNTFS transaction log for crash recoveryRecovers recent metadata transactions when $MFT was updated but $UsnJrnl rolled
$Recycle.Bin\\Recycle bin per user with $I info and $R content filesAttributes deletions to a specific user by SID
Volume Shadow CopiesPoint-in-time volume snapshots (VSS)Recovers earlier versions of files, deleted files, cleared logs, prior registry hives

The four MACB timestamps and timestomping detection

Every NTFS file has two independent timestamp sets. $StandardInformation (SI) exposes M/A/C/B (Modified, Accessed, Changed, Born) β€” these are what applications and API calls set, and what tools like SetMace or timestomp alter. $FileName (FN) is written by NTFS itself and is far harder to fake without kernel-level access. When SI is dramatically older than FN, or SI is exactly midnight or an even second while surrounding files show natural sub-second variance, that is a strong indicator of timestomping.

LNK, jump lists and RecentDocs β€” proof a user opened a file

Every time a user opens a document through Explorer, an LNK shortcut is written to %APPDATA%\Microsoft\Windows\Recent\ containing the target’s full path, size, volume serial number, machine NetBIOS name and MAC address, and its own set of MACB timestamps. Windows also writes jump lists at %APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations\ β€” one file per application (identified by an AppID hash), each containing OLE-CF stream entries for the last N files opened by that application.

LNK and jump-list evidence survives deletion of the underlying file, and often survives deletion of the file’s storage medium (external drive, thumb drive, network share). This is why LNK analysis is decisive in trade-secret cases where the file has been removed from the endpoint.

Recovering deleted files

  • Recycle Bin β€” $I files contain original path, size, and delete time; $R files hold the data. Attribution is by user SID in the path.
  • MFT-resident data β€” files under ~700 bytes live entirely inside their MFT record; the content survives until the record is reused.
  • Unallocated clusters β€” file carving by header/footer (JPEG, DOCX, PDF, ZIP) recovers whole files when the extents are contiguous.
  • Volume Shadow Copies β€” mount VSS snapshots and copy the older, still-live version of the file.
  • OneDrive / SharePoint / Dropbox caches β€” local sync engines retain recycle-bin equivalents (%LOCALAPPDATA%\Microsoft\OneDrive\logs and the cloud vendor’s own retention).
  • Application caches β€” Word AutoRecover (%APPDATA%\Microsoft\Word\), Excel XLB, Outlook OST, Adobe backup files.

SSD limitation: On TRIM-enabled SSDs, contents of unallocated clusters are typically wiped by the drive within seconds of deletion. In those cases, we shift to shadow copies, cloud sync, and MFT/journal metadata to prove what existed.

Detecting bulk copy and exfiltration patterns

USN journal analysis exposes exfiltration behavior directly: hundreds of files “CLOSE” events within seconds to a newly mounted volume, sequential LNK creation for an external drive letter, and MountPoints2 (see USB Device Forensics) writes correlate with a departing employee’s last day. We routinely produce a chronological exhibit tying MFT $StdInfo Born, USN CREATE + CLOSE, and LNK write to a specific USB serial number and a specific human account.

How Elite Digital Forensics helps

Elite Digital Forensics is an independent, defense-aligned Windows forensics practice. We are retained by attorneys, in-house counsel, and, where appropriate, individuals and businesses directly. Every engagement begins with a scoped acquisition plan, hash-verified evidence, and a written report suitable for attorney review, negotiation, or court. When retained through counsel, our work product is protected. See the Windows Forensics hub for the full analytical framework we bring to every matter.

Related Windows forensics pages

Frequently asked questions

Can you tell whether a file was opened versus just previewed in Explorer?

Often yes. Explorer preview writes to Thumbcache but does not always create an LNK. Actual opening by an application produces an LNK, a jump list entry, RecentDocs registry update, and Prefetch for the application. The presence of all four is strong proof of opening.

How reliable is the last-accessed timestamp?

On modern Windows, NTFS Last-Access updates are disabled by default for performance. We rely on $StdInfo Modified, $FileName Born, LNK MACB, and $UsnJrnl entries instead.

What if someone ran a file wiper?

Wipers leave traces of their own: Prefetch, Amcache, UserAssist, Run key or scheduled-task persistence, and their configuration file. The absence of expected artifacts in the presence of the wiper’s execution record is itself evidence.

How far back can you reconstruct file activity?

USN journal typically covers days to weeks depending on volume activity and size. Shadow copies extend that to weeks or months. Cloud sync history often reaches further. We document actual coverage.

Ready to move on your windows file activity, deletion, and recovery matter?

Tell us about the computer, the accounts, and the timeframe. We will tell you what is recoverable, what is not, and what it will cost.

Request Confidential Consultation Call (833) 292-3733

Primary sources and references

  1. Microsoft: NTFS Master File Table. learn.microsoft.com
  2. Microsoft: USN Change Journal. learn.microsoft.com
  3. NIST SP 800-86. csrc.nist.gov

This content is for educational and informational purposes only and does not constitute legal advice. Elite Digital Forensics provides independent digital forensic services and expert witness testimony; we do not provide legal representation. Every case is fact-specific; outcomes depend on the evidence, jurisdiction, and counsel. Retain qualified legal counsel for advice about your matter.

#FileActivityForensics #NTFS #MFT #USNJournal #DeletedFileRecovery #WindowsForensics #DFIR #EliteDigitalForensics

Assistant Icon Elite Digital Forensics Assistant
πŸ‘‹ Live Chat Now!
Free Virtual Consultation 24/7
Chat Now!

By submitting this form, you consent to be contacted by email, text, or phone. Your information is kept secure and confidential. Reply Stop to opt out at anytime.Β 

IMPORTANT: Please remember to check your spam or junk folder