Storing files on NTFS filesystem

The main data structure in NTFS is MFT (Master File Table). One or several MFT records completely describe a file. MFT record contains:

  • file name,
  • attributes,
  • file location on a disk.

File deletion on NTFS

When deleting a file, MFT records related to the file are not cleared but just marked as free for reuse. Therefore, until the MFT record will be actually needed for a new file, all the data about the file is still stored in the MFT record. Data recovery on NTFS is based on this.

Undelete on NTFS filesystem

It is possible to recover a file if:

  • MFT record data is not overwritten with the data from some other file,
  • The file data is not overwritten for the file larger than 700 bytes.

Undelete process consists of three steps:

  1. remove the mark "file is deleted",
  2. mark the place used for the data as "occupied",
  3. enter the record about the file in its parent folder.