Windows – Maximum size of file that can be stored entirely in NTFS Master File Table (MFT)

mftntfssecure-erasessdwindows

I'm using Windows 7 and NTFS. I've noticed the MFT is a huge security risk because it can store sensitive document files without user knowledge for a long time before they get overwritten.

All tests I've run tell me that files smaller than 640 bytes are resident in the MFT and cannot be securely deleted. However, any files that are 640 bytes or more can be securely deleted immediately – this is true for my 500GB HDD and my 128GB Flash Drive (both NTFS).

I've tested this by creating a bunch of text files and writing words to them to create different file sizes. Deleting them, emptying recycle bin and running Recuva and then securely deleting highlighted. It fails to securely delete any file under 640 bytes (file is resident in MFT message will come up).

Is this the same for SSDs with Trim Enabled?
Why 640 bytes? Thought it was 512 bytes maximum for MFT entries for wiped files?

Any input much appreciated.

Best Answer

Any files can be deleted securely, as long as you use the correct tool. For example Sysinternals' SDelete is capable of handling this

On NTFS drives SDelete's job isn't necessarily through after it allocates and overwrites the two files. SDelete must also fill any existing free portions of the NTFS MFT (Master File Table) with files that fit within an MFT record. An MFT record is typically 1KB in size, and every file or directory on a disk requires at least one MFT record. Small files are stored entirely within their MFT record, while files that don't fit within a record are allocated clusters outside the MFT. All SDelete has to do to take care of the free MFT space is allocate the largest file it can - when the file occupies all the available space in an MFT Record NTFS will prevent the file from getting larger, since there are no free clusters left on the disk (they are being held by the two files SDelete previously allocated). SDelete then repeats the process. When SDelete can no longer even create a new file, it knows that all the previously free records in the MFT have been completely filled with securely overwritten files.

Surely you've chosen the wrong tool because if you've read the documentation you'd see that

Recuva cannot:

...

Securely delete certain very small files that are held in the Master File Table (MFT) and files of zero-byte length.

Introducing Recuva - What it can and can't do

Why 640 bytes? Thought it was 512 bytes maximum for MFT entries for wiped files?

Size of files that can be stored in MFT (called resident files) varies depending on each file, each system and which information is stored in MFT. The more data is used for metadata in MFT, the less is left for the file, thus there's no defined limit, but according typically Files smaller than approximately 900 bytes are stored within the directory entry at the MFT

The figure MFT Entry with Resident Record shows the contents of an MFT record for a small file or folder. Small files and folders (typically, 900 bytes or smaller) are entirely contained within the file’s MFT record.

How NTFS Works

As an example I created an example 1000-byte file with very minimal metadata that can be stored completely in the MFT. But as soon as I added more metadata to the file (hard links, longer names, streams, permissions...) the maximum space that can accommodate the resident file quickly reduces

Best Answer

Related Solutions

Windows – Master File Table corrupt, any way to save data

Windows – NTFS partition broke: Won’t mount in Linux & Windows won’t boot

Related Question