twjolson wrote:
However, NTFS hasn't really been updated since Windows XP came out in 2001.
Depends.
If you take an image of a Windows Server 2012 SP 2 (I think it is) file system which has data deduplication enabled, and applied, EnCase 5 will be able to handle to handle the NTFS file records, but you won't be able to examine the file contents.
(Added: You'll just see a lot of reparse points ...)
This is a kind of 'on-top-of-NTFS' feature, so strictly speaking NTFS may be unchanged. It still will have an analyst who doesn't know about it rather confused,
↧