Research NTFS IO_REPARSE_TAG_DEDUP #33
Description
Since Windows Server 2012, there is a chunk-based data deduplication mechanism (tag 0x80000013) that allows files with similar content to be deduplicated as long as they have stretches of identical data. Similar to a Copy-on-Write mechanism.
The chunks and state get stored in the System Volume Information/Dedup folder of the respective disk. Currently these files will report a file-size but will not contain any data. Some of these files can contain interesting investigative information. Exploring parsing capabilities for this NTFS feature would make our implementation more sound.