Abstract: Computer users access data by file system. File and folder operation(such as creation, deletion, and edition) may leave some traces on storage media. These traces are related to file system. NTFS file system allocates and revokes the storage by cluster. It manages by MFT. This paper, from the point of computer forensics, analyzes the method of accessing file for NTFS file system and the traces of the file or folder operating, and compares it with traces of FAT.

Key words: data recovery, computer forensic, trace, NTFS, FAT

摘要： 计算机用户通过文件系统存取数据，文件和文件夹的操作(如增加、删除、修改)会在存储介质上留下痕迹，这些痕迹与文件系统有关。NTFS文件系统以簇为单位分配和回收外存空间，通过主文件表来进行管理。文章从计算机取证角度探讨NTFS文件系统下访问文件(夹)的方法，研究NTFS文件系统下文件和文件夹的操作痕迹，并与FAT文件系统中的痕迹进行比较。

关键词: 数据恢复, 计算机取证, 痕迹, NTFS, FAT

CLC Number: 

• TP309.2