How to scan NTFS $I30 (directory) entries for evidence of deleted files

The NTFS file system maintains an index of all files/directories that belong to a directory called the $I30 attribute. Every directory in the file system contains an $I30 attribute that must be maintained whenever there are changes to the directory's contents. When files or folders are removed from the directory, the $I30 index records are re-arranged accordingly. However, re-arranging of the index records may leave remnants of the deleted file/folder entry within the slack space. This can be useful in forensics analysis for identifying files that may have existed on the drive.

OSForensics is capable of displaying the index records stored in the $I30 attribute, including deleted records that were found in the slack space. The list of $I30 index records can be viewed by opening an NTFS directory in the File System Browser with the internal viewer.

Opening an NTFS directory in the File System Browser

After switching to the 'Metadata View' tab, the list of $I30 index records are displayed. Deleted records found in the slack space are highlighted in red. Note that the presence of a deleted file/folder record doesn't necessarily mean that it no longer exists in the directory; it may just be that the record was rearranged due to changes to the $I30 attribute, and that the record found in the slack space is the previous, stale version.

Viewing the $I30 index records

The list of records can be exported to a text file by selecting 'Export to file...' in the right-click menu