Efficient Recovery of Deleted Data and Metadata from NTFS and ReFS File

Efficient Recovery of Deleted Data and Metadata from NTFS and ReFS File

Ms. R.Kalaiyarasi(Assistant Professor), Arvind S

Dept. of Computer Science and Engineering

Sri Shakthi Institute of Engineering and Technology

Coimbatore, India

kalaiyarasiapcse@srishakthi.ac.in

arvinds22cse@srishakthi.ac.in

Dinesh P,  Gavyaa A M

Dept. of Computer Science and Engineering Sri Shakthi Institute of Engineering and

Technology

Coimbatore, India

dineshp22cse@srishakthi.ac.in

gavyaaam22cse@srishakthi.ac.in

Girija Nagarajan , Joselin J

Dept. of Computer Science and Engineering

Sri Shakthi Institute of Engineering and Technology

Coimbatore, India

girijanagarajan22cse@srishakthi.ac.in

joselinj22cse@srishakthi.ac.in

Abstract - Data loss resulting from accidental deletion, file system corruption, malware attacks, ransomware incidents, and unexpected system failures continues to present a significant challenge in modern Windows-based computing environments. As digital storage systems increasingly support critical personal, organizational, and enterprise data, the consequences of data loss have become more severe, affecting operational continuity, legal compliance, and forensic investigations. Although numerous data recovery solutions are currently available, the majority of these tools focus primarily on restoring raw file content and often neglect the recovery of associated metadata such as file names, timestamps, directory hierarchy, access permissions, ownership details, and security descriptors. Metadata plays a vital role in preserving contextual accuracy, forensic validity, and auditability of recovered data, particularly in investigative and compliance-driven scenarios.

This paper presents a comprehensive metadata-aware recovery framework specifically designed for Windows file systems, namely NTFS and ReFS. The proposed approach leverages file system–specific internal structures, including the Master File Table (MFT) in NTFS and copy-on-write metadata trees in ReFS, to recover deleted files along with their associated metadata. A unified metadata correlation and validation engine is employed to ensure consistency, accuracy, and forensic reliability of recovered records by cross-verifying multiple metadata attributes. The framework operates in a read-only manner to maintain forensic integrity and prevent evidence contamination.

Key Terms - NTFS, ReFS, Metadata Recovery, Data Recovery, Digital Forensics, Windows File Systems, Master File Table (MFT), Copy-on-Write, File System Metadata, Integrity Streams.