A discussion came up recently at work around how a file can become identified as “Orphaned” in an NTFS file system and I thought that it would be a good topic to cover on my blog since understanding how this occurs aids in the forensic analysis of NTFS filesystems.

An orphaned file is a file that has been deleted and the parent directory that the file is linked to (within its MFT entry) has also been deleted and then its MFT entry has been reallocated.  You can also have an orphaned directory index for the same reason as you can have orphaned files (same basic concepts apply).

As an aside: when a directory is deleted on an NTFS file system the operating system marks the directory as unallocated within the MFT and also recursively goes through and marks the file MFT records (and other directories) as unallocated (of course, it also checks the hard link count to make sure that the file isn’t linked from any other location prior to marking it in the MFT as unallocated).

Even though a file appears “orphaned,” you may still be able to recover the file the same way that you would recover a deleted file on an NTFS volume (given the clusters for that file have not been overwritten with other data).  Additionally, you may be able to see directory structure information (names, etc) for an orphaned file/directory that is buried several directories deep; the “orphaning” can happen at any point in a directory structure and you’ll be able to find directory information up until the final MFT entry that is pointing to the now overwritten MFT entry.

The bottom line is: orphaned files are simply just deleted files that may be treated the same way you’d treat any other deleted file during an investigation…you’ll just not be able to determine with any certainty the exact location of the file within the directory structure prior to deletion.