Per your $MFT record - the logical size of the record is 336 bytes and ends with FF FF FF FF 82 79 47 11. The allocation flag shows it to be a deleted file. The flag for where the data is stored shows 01 for non-resident. You have a data attribute which shows this and correctly shows the data run should be in the latter part of the data attribute at a specific point. But, when I jump out to that area it only shows only 00 00 01 00 00 00 00 00. So, something happened to the data run.
I created a Truecrypt container on my machine and made sure it would be unable to be stored as resident. I parsed out that $MFT record for it and the data attribute showed an accurate data run. So, it is not something that Truecrypt does. I believe something happened to your $MFT record after the file was deleted since it is marked as such.
↧