Which NTFS components are examined to detect deleted or hidden data on a Windows volume?

NTFS forensic analysis centers on the Master File Table and the surrounding metadata streams that record how files and space are used on the volume, especially when deletions or hidden data are involved. The Master File Table holds the records for every file and directory, and even after a file is deleted, its MFT entry can remain and be analyzed to piece together the original data. The USN Journal ($UsnJrnl) logs a running history of changes to files and directories, so deletions, renames, and modifications leave traceable records you can follow over time. The $Bitmap shows which clusters on the disk are in use, helping identify unallocated or partially used areas where remnants may reside. The $LogFile contains the NTFS transaction log that reconstructs metadata updates, aiding in understanding the sequence of events surrounding file operations. The $OrphanFiles attribute collects entries that are no longer linked to active files, offering additional artifacts to recover data that has been removed from the directory structure. By examining the MFT records together with unallocated space, investigators can often recover deleted files or reveal data that was hidden, providing a fuller picture of what occurred on the volume.