I'm using Windows 7 and NTFS. I've noticed the MFT is a huge security risk because it can store sensitive document files without user knowledge for a long time before they get overwritten.
All tests I've run tell me that files smaller than 640 bytes are resident in the MFT and cannot be securely deleted. However, any files that are 640 bytes or more can be securely deleted immediately – this is true for my 500GB HDD and my 128GB Flash Drive (both NTFS).
I've tested this by creating a bunch of text files and writing words to them to create different file sizes. Deleting them, emptying recycle bin and running Recuva and then securely deleting highlighted. It fails to securely delete any file under 640 bytes (file is resident in MFT message will come up).
Is this the same for SSDs with Trim Enabled?
Why 640 bytes? Thought it was 512 bytes maximum for MFT entries for wiped files?
Any input much appreciated.
Best Answer
Any files can be deleted securely, as long as you use the correct tool. For example Sysinternals'
SDelete
is capable of handling thisSurely you've chosen the wrong tool because if you've read the documentation you'd see that
Size of files that can be stored in MFT (called resident files) varies depending on each file, each system and which information is stored in MFT. The more data is used for metadata in MFT, the less is left for the file, thus there's no defined limit, but according typically Files smaller than approximately 900 bytes are stored within the directory entry at the MFT
As an example I created an example 1000-byte file with very minimal metadata that can be stored completely in the MFT. But as soon as I added more metadata to the file (hard links, longer names, streams, permissions...) the maximum space that can accommodate the resident file quickly reduces