Which acronym refers to the file system that was introduced when Microsoft created Windows NT?

NTFS, an acronym that stands for New Technology File System, is a file system first introduced by Microsoft in 1993 with the release of Windows NT 3.1.

It's the primary file system used in Microsoft's Windows 11, Windows 10, Windows 8, Windows 7, Windows Vista, Windows XP, Windows 2000, and Windows NT operating systems.

The Windows Server line of operating systems also primarily use NTFS. It's supported in other OSes, too, like Linux and BSD. macOS offers read-only support for NTFS.

NTFS also stands for other terms, but none of them have anything to do with what's talked about on this page. These include not trusted for servers, never tested file system, new tools for storage, and no time for social.

There are a few ways to check if a hard drive has been formatted with NTFS, or if it's using a different file system.

The first and probably easiest way to view the status of one or more drives is to use Disk Management. See How Do I Open Disk Management in Windows? if you've never worked with this tool before.

The file system is listed right here, alongside the volume and other details about the drive.

Another way to check to see if a drive was formatted with the NTFS file system is by right-clicking or tap-and-holding the drive in question, directly from File Explorer.

Then, choose Properties from the drop-down menu. Read what's next to File system in the General tab. If the drive is NTFS, it will read File system: NTFS.

Yet another way to see which file system a hard drive is using it through the command-line interface.

Open a Command Prompt (it might have to be an elevated Command Prompt in some versions of Windows), or Windows Terminal, and enter this to show various details about the C: drive, including its file system:

fsutil fsinfo volumeinfo C:

Use the command fsutil fsinfo volumeinfo C: | findstr "System" instead to trim down the results to show only the file system.

To check a different hard drive, use that drive's volume letter in place of C:. If you don't know the drive letter, get an on-screen print-out using the fsutil fsinfo drives command.

Theoretically, NTFS can support hard drives up to just under 16 EB. Individual file size is capped at just under 256 TB, at least in Windows 8, 10, and 11, as well as some newer Windows Server versions.

NTFS supports disk usage quotas. These quotas are set by an administrator to restrict the amount of disk space that a user can take up. It's used mainly to control the amount of shared space someone can use, usually on a network drive. You can check free hard drive space without using disk usage quotas.

File attributes previously unseen in Windows operating systems, like the compressed attribute and indexed attribute, are available with NTFS-formatted drives.

Encrypting File System is another feature supported by NTFS. EFS provides file-level encryption, which means that individual files and folders can be encrypted. This is a different feature than full-disk encryption, which is the encryption of an entire drive (like what's seen in these disk encryption programs).

NTFS is a journaling file system, which means it provides a way for system changes to be written to a log, or a journal, before the changes are actually written. This feature allows the file system to revert to previous, well-working conditions if a failure occurs because the new changes have yet to be committed.

Volume Shadow Copy Service is an NTFS feature used by online backup service programs and other backup software tools to back up files that are currently being used, as well as by Windows itself to store backups of your files.

Another feature introduced in this file system is called transactional NTFS. This allows software developers to build applications that either completely succeed or completely fail. Programs that take advantage of this don't run the risk of applying a few changes that do work as well as a few changes that don't, a recipe for serious problems. Transactional NTFS is a fascinating topic; you can read more about it on in these pieces from Wikipedia and Microsoft.

NTFS includes other features as well, such as hard links, sparse files, and reparse points.

FAT was the primary file system in Microsoft's older operating systems and, for the most part, NTFS has replaced it. However, all versions of Windows still support FAT, and it's common to find drives formatted using it instead of NTFS.

The exFAT file system is a newer file system but is designed to be used where NTFS doesn't work well, like on flash drives. Some differences between NTFS and exFAT include fewer files per directory in the latter file system, but far greater drive sizes than the former.

Thanks for letting us know!

Tell us why!

Cards Return to Set Details

Term

Definition

is a column of tracks on two or more disk platters.

Term

ZBR is how most manufacturers deal with _______

Definition

a platter's inner tracks being shorter than its outer tracks.

Term

Definition

the number of bits in one square inch of a disk platter.

Term

Definition

the file structure database that Microsoft originally designed for floppy disks.

Term

NTFS was introduced when _____

Definition

Microsoft created Windows NT and is the primary file system for Windows Vista.

Term

What is immediately after the Partition Boot Sector on an NTFS disk?

Definition

Term

Definition

Term

In the NTFS MFT, all files and folders are

Definition

stored in separate records of 1024 bytes each.

Term

9. The file or folder’s MFT record provides cluster addresses where the file is stored on the drive’s partition. These cluster addresses are referred to as

Definition

Term

When Microsoft introduced Windows 2000, it added _______

Definition

built-in encryption to NTFS called EFS.

Term

The purpose of the recovery certificate is to _______

Definition

provide a mechanism for recovering encrypted files under EFS if there’s a problem with the user’s original private key.

Term

When Microsoft created Windows 95, it consolidated initialization (.ini) files into

Definition

Term

Boot.ini, located in the root folder of the system partition, specifies

Definition

the Windows XP path installation and contains options for selecting the Windows version.

Term

______ is a 16-bit real-mode program that queries the system for device and configuration data, and then passes its findings to NTLDR.

Definition

Term

NTBootdd.sys , located in the root folder of the system partition, is the device driver that allows

Definition

the OS to communicate with SCSI or ATA drives that aren’t related to the BIOS.

Term

Device drivers contain instructions for the OS for hardware devices, such as

Definition

the keyboard, mouse, and video card, and are stored in the %system-root%\Windows\System32\Drivers folder.

Term

Definition

a hidden text file containing startup options for Windows 9x.

Term

The Command.com file provides a

Definition

command prompt when booting to MS-DOS mode (DPMI).

Term

Definition

text file containing commands that typically run only at system startup to enhance the computer’s DOS configuration.

Term

Definition

a batch file containing customized settings for MS-DOS that runs automatically.

Term

A virtual machine allows you to

Definition

create a representation of another computer on an existing physical computer.

Term

Computer forensics tools are divided into ____ major categories.

Definition

Term

Software forensics tools are commonly used to

Definition

copy data from a suspect’s disk drive to an image file.

Term

To make a disk acquisition with En.exe the requirements are:

Definition

only a PC running MS-DOS with a 12-volt power connector and an IDE, a SATA, or a SCSI connector cable.

Term

Definition

is a direct copy of a disk drive. An example of a Raw image is output from the UNIX/Linux dd command.

Term

Discrimination of data involves

Definition

sorting and searching through all investigation data.

Term

Many password recovery tools have a feature that

Definition

allows generating potential lists for a password dictionary attack.

Term

The simplest method of duplicating a disk drive is

Definition

using a tool that does a direct disk-to-disk copy from the original disk to the target disk.

Term

To complete a forensic disk analysis and examination, you need to

Definition

Term

The first tools that analyzed and extracted data from floppy disks and hard disks were

Definition

MS-DOS tools for IBM PC file systems.

Term

In Windows 2000 and XP, the ______ shows you the owner of a file if you have multiple users on the system or network.

Definition

Term

forensics workstations can be divided into ___ categories.

Definition

Term

Definition

is a forensics workstation consisting of a laptop computer with a built-in LCD monitor and almost as many bays and peripherals as a stationary workstation

Term

Definition

a simple drive-imaging station.

Term

Definition

can be software or hardware and are used to protect evidence disks by preventing you from writing any data to the evidence disk.

Term

Many vendors have developed _____ that connect to a computer through FireWire, USB 2.0,and SCSI controllers.

Definition

Term

Definition

publishes articles, provides tools, and creates procedures for testing and validating computer forensics software.

Term

The standards document, _____ demands accuracy for all aspects of the testing process, meaning that the results must be repeatable and reproducible.

Definition

Term

Definition

is 39. The NIST project that has as a goal to collect all known hash values for commercial software applications and OS files

Term

Definition

is the primary hash algorithm used by the NSRL.

Term

One way to compare your results and verify your new forensic tool is by ____

Definition

using a disk editor, such as HexWorkshop, or WinHex.

Term

Although a disk editor gives you the most flexibility in testing, it might not be capable of

Definition

examining a compressed file’s contents.

Term

There are ___ tracks available for the program area on a CD

Definition

Term

The Advanced SCSI Programming Interface (ASPI) provides

Definition

several software drivers that allow communication between the OS and the SCSI component.

Term

All Advanced Technology Attachment (ATA) drives from ATA-33 through ATA-133 IDE and EIDE disk drives use the standard

Definition

40-pin ribbon or shielded cable

Term

ATA-66, ATA-100, and ATA-133 can use the

Definition

newer 40-pin/80-wire cable

Term

IDE ATA controller on an old 486 PC doesn’t recognize disk drives larger than

Definition

Term

Scope creep _____ needed to extract,analyze,and present evidence.

Definition

increases the time and resources

Term

You begin any computer forensics case by

Definition

creating an investigation plan.

Term

In civil and criminal cases, _____ is often defined by search warrants or subpoenas, which specify what data you can recover.

Definition

Term

There are ___ searching options for keywords which FTK offers

Definition

Term

____ can locate items such as text hidden in unallocated space that might not turn up in an indexed search.

Definition

Term

The stemming search feature allows you to

Definition

look for words with extensions such as “ing,”“ed,” and so forth.

Term

In FTK indexed search mode, you can

Definition

also look for files that were accessed or changed during a certain time period

Term

FTK and other computer forensics programs use _______ to tag and document digital evidence.

Definition

Term

Getting a hash value with a hexadecimal editor is ______ with a computer forensics tool.

Definition

much faster and easier than

Term

Definition

known file hash values to files on your evidence drive or image files to see whether they contain suspicious data.

Term

Definition

changing or manipulating a file to conceal information.

Term

One way to hide partitions is to

Definition

create a partition on a disk, and then use a disk editor such as Norton DiskEdit to manually delete any reference to it.

Term

Marking bad clusters data-hiding technique is more common with

Definition

Term

The term steganography comes from

Definition

the Greek word for“hidden writing.”

Term

Steganography is defined as

Definition

the art and science of hiding messages in such a way that only the intended recipient knows the message is there.

Term

Many commercial encryption programs use a technology called _____, which is designed to recover encrypted data if users forget their passphrases or if the user key is corrupted after a system data failure.

Definition

Term

People who want to hide data can also use

Definition

advanced encryption programs, such as PGP or BestCrypt.

Term

Definition

a fairly easy task in computer forensic analysis

Term

Definition

use every possible letter, number, and character found on a keyboard when cracking a password.

Term

Definition

handy when you need to image the drive of a computer far away from your location or when you don’t want a suspect to be aware of an ongoing investigation.

Term

HDHOST is a remote access program for

Definition

communication between two computers. The connection is established by using the DiskExplorer program (FAT or NTFS) corresponding to the suspect (remote) computer’s file system.

Term

Vector graphics are based on

Definition

mathematical instructions that define lines, curves, text, ovals, and other geometric shapes.

Term

Graphics editors are used to

Definition

create, modify, and save bitmap, vector, and metafile graphics files.

Term

Definition

store graphics information as grids of individual pixels.

Term

Definition

the process of converting raw picture data to another format

Term

The majority of digital cameras use the ____ format to store digital pictures

Definition

Term

Lossy compression compresses data by

Definition

permanently discarding bits of information in the file.

Term

Definition

is recovering pieces of a file

Term

A JPEG file has a hexadecimal header value of

Definition

Term

If you can’t open an image file in an image viewer, the next step is to

Definition

examine the file’s header data.

Term

The uppercase letter “A” has a hexadecimal value of

Definition

Term

The image format ___ is derived from the more common TIFF file format.

Definition

Term

The simplest way to access a file header is to use

Definition

Term

The ____ starts with hexadecimal 49 49 2A and has an offset of four bytes of 5C01 0000 2065 5874 656E 6465 6420 03

Definition

Term

Definition

the art of hiding information inside image files

Term

_______ places data from the secret file into the host file without displaying the secret data when you view the host file in its associated program.

Definition

Term

_______ replaces bits of the host file with other bits of data.

Definition

Substitution steganography

Term

Definition

steg tool (steganography).

Term

Steganography has also been used to protect

Definition

copyrighted material by inserting digital watermarks into a file