diff --git a/forensics/basic-forensics-esp/README.md b/forensics/basic-forensics-esp/README.md index 8e598d977..ef6ff2716 100644 --- a/forensics/basic-forensics-esp/README.md +++ b/forensics/basic-forensics-esp/README.md @@ -557,12 +557,15 @@ The **root directory** occupies a **specific position** for both FAT12 and FAT16 * Address of the FAT table where the first cluster of the file starts * Size -When a file is "deleted" using a FAT file system, the directory entry remains almost **unchanged** except for the **first character of the file name** \(modified to ****0xE5\), preserving most of the "deleted" file's name, along with its time stamp, file length and — most importantly — its physical location on the disk. The list of disk clusters occupied by the file will, however, be erased from the File Allocation Table, marking those sectors available for use by other files created or modified thereafter. In case of FAT32, it is additionally erased field responsible for upper 16 bits of file start cluster value. +When a file is "deleted" using a FAT file system, the directory entry remains almost **unchanged** except for the **first character of the file name** \(modified to ****0xE5\), preserving most of the "deleted" file's name, along with its time stamp, file length and — most importantly — its physical location on the disk. The list of disk clusters occupied by the file will, however, be erased from the File Allocation Table, marking those sectors available for use by other files created or modified thereafter. In case of FAT32, it is additionally erased field responsible for upper 16 bits of file start cluster value. +### **NTFS** +**NTFS** \(**New Technology File System**\) is a proprietary journaling file system developed by Microsoft. +\*\*\*\* -**NTFS** +\*\*\*\* El tamaño de un cluster es de 64kB, aunque se pueden crear clusters mas pequeños o más grandes. 64bits para la dirección de cada cluster