From: Rod Speed on
sobriquet wrote
> Jonathan de Boyne Pollard <J.deBoynePollard-newsgro...(a)NTLWorld.COM> wrote

>> http://img237.imageshack.us/img237/2852/passportdiscrepancy.jpg
>> I have two identical WD 1tb passport usb drives filled with identical data. [...]

>> ... but not necessarily identical metadata. That 28KiB difference is
>> a mere 28 deleted MFT records, for example. Or it could be journal
>> entries, security descriptor records, or quite a number of other things.

>> But isn't this the kind of meta data that is supposed
>> to disappear when the recyclebin is emptied?

>> Put simply: No. Deleted MFT records are nothing to do with files in
>> the recycle bin, for example.

>> Is there any other way to clear any superfluous data somehow?

>> Put simply: Short of drastic measures such as reformatting the
>> volume, no. The MFT doesn't shrink in normal operation, for example.
>> And the security descriptor stream is only compacted bychkdsk. (See
>> MSKB 919241.)

>> we're talking about two identical drives and identical data that is supposed to be stored on the drive.

>> No, we're not. As I said, the metadata are not necessarily identical.

> I see. Could a virus or malware somehow gain access to this space
> where this metadata is stored to hide a copy of itself there?

Yes, it might be able to hide a copy of itself, but
there is no way to get it executed from there.

> Can I use a diskeditor like HxD or DiskExplorer for
> NTFS to view this metadata somehow?

Yes, anything that can dump the contents of sectors you specify can do that.

Interpreting what you see tho is much harder.

Quite a bit of the detail of NTFS structures have never been formally documented.