You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Since Windows Server 2012, there is a chunk-based data deduplication mechanism (tag 0x80000013) that allows files with similar content to be deduplicated as long as they have stretches of identical data. Similar to a Copy-on-Write mechanism.
The chunks and state get stored in the System Volume Information/Dedup folder of the respective disk. Currently these files will report a file-size but will not contain any data. Some of these files can contain interesting investigative information. Exploring parsing capabilities for this NTFS feature would make our implementation more sound.
The text was updated successfully, but these errors were encountered:
Since Windows Server 2012, there is a chunk-based data deduplication mechanism (tag
0x80000013) that allows files with similar content to be deduplicated as long as they have stretches of identical data. Similar to a Copy-on-Write mechanism.The chunks and state get stored in the
System Volume Information/Dedupfolder of the respective disk. Currently these files will report a file-size but will not contain any data. Some of these files can contain interesting investigative information. Exploring parsing capabilities for this NTFS feature would make our implementation more sound.The text was updated successfully, but these errors were encountered: