Data reconstruction and recovery of deduplicated files having non-resident attributes in NTFS volume

The NTFS used in Windows Server operating system provides a function of removing duplicated areas by comparing them with other files in variable-length block units to use storage space efficiently. Although the data deduplication technology is already applied to the server systems such as cloud services, it is necessary to understand the operation of the Windows Server and the corresponding file system in order to view or extract files in digital forensic surveys. So in this paper, we analyze the process of deduplication and structure for reconstructing files with data deduplication function on the Windows Server using NTFS. Specific actions have structural differences depending on the version of the Windows Server. Until Windows Server 2012, deduplicated files with only resident attributes existed in the MFT entry. Still, in the 2016 and 2019, and 2022 versions released thereafter, deduplicated files have non-resident attributes, so the previous analysis results have a limitation in extracting files. Also, if the deduplicated file is deleted, even if the file carving technique is applied, it is stored in a fragmented state called a chunk. If a deduplicated file is deleted, and when its chunks are used by another file, chunks must remain allocated even if the file is deleted. This is different from traditional file recovery techniques, so we introduce a new perspective when recovering deduplicated files.