Where does Encase search to recover NTFS files and folders?

In NTFS, the Master File Table (MFT) is the central database that stores a record for every file and directory, including its name, timestamps, permissions, and pointers to where the actual data resides on disk. EnCase searches the MFT because it holds the authoritative metadata needed to locate and reconstruct files and folders. By reading each file’s MFT record, the tool can determine the file’s data runs (where the data is stored on the disk) and how directories reference those files, which is essential for accurate recovery and path reconstruction. Deletion or fragmentation can complicate things, but as long as the MFT entries or the underlying data aren’t overwritten, EnCase leverages the MFT to recover and reassemble the NTFS file system structure. Slack space and MBR/HAL are not where NTFS stores the primary metadata used for file recovery.