I'm using Windows 7 and NTFS. I've noticed the MFT is a huge security risk because it can store sensitive document files without user knowledge for a long time before they get overwritten.

All tests I've run tell me that files smaller than 640 bytes are resident in the MFT and cannot be securely deleted. However, any file that's 640 bytes or more can be securely deleted immediately - this is true for my 500GB HDD and my 128GB Flash Drive (both NTFS).

I've tested this by creating a bunch of text files and writing words to them to create different file sizes. Deleting them, emptying recycle bin and running Recuva and then securely deleting highlighted. It fails to securely delete any file under 640 bytes (file is resident in MFT message will come up).

Is this the same for SSDs with Trim Enabled? Why 640 bytes? Thought it was 512 bytes maximum for MFT entries for wiped files?

Any input much appreciated.

  • Regarding the "why"... NTFS file records are 1024kb. Some of this space is needed for required attributes such as $FILE_NAME, and you are left with the remainder for resident files. – Andrea Lazzarotto Mar 5 '17 at 21:56
  • 1
    @AndreaLazzarotto the recode size is 1KB or 1024 bytes, not 1024KB – phuclv Jul 13 at 1:36
  • @phuclv holy smokes you are right. Damn typo. :o – Andrea Lazzarotto Jul 13 at 10:33

Any files can be deleted securely, as long as you use the correct tool. For example Sysinternals' SDelete is capable of handling this

On NTFS drives SDelete's job isn't necessarily through after it allocates and overwrites the two files. SDelete must also fill any existing free portions of the NTFS MFT (Master File Table) with files that fit within an MFT record. An MFT record is typically 1KB in size, and every file or directory on a disk requires at least one MFT record. Small files are stored entirely within their MFT record, while files that don't fit within a record are allocated clusters outside the MFT. All SDelete has to do to take care of the free MFT space is allocate the largest file it can - when the file occupies all the available space in an MFT Record NTFS will prevent the file from getting larger, since there are no free clusters left on the disk (they are being held by the two files SDelete previously allocated). SDelete then repeats the process. When SDelete can no longer even create a new file, it knows that all the previously free records in the MFT have been completely filled with securely overwritten files.

Surely you've chosen the wrong tool because if you've read the documentation you'd see that

Recuva cannot:

  • ...
  • Securely delete certain very small files that are held in the Master File Table (MFT) and files of zero-byte length.

Introducing Recuva - What it can and can't do


Why 640 bytes? Thought it was 512 bytes maximum for MFT entries for wiped files?

Size of files that can be stored in MFT (called resident files) varies depending on each file, each system and which information is stored in MFT. The more data is used for metadata in MFT, the less is left for the file, thus there's no defined limit, but according to Microsoft typically

Files smaller than approximately 900 bytes are stored within the directory entry at the MFT

https://en.wikipedia.org/wiki/NTFS#File_compression

The figure MFT Entry with Resident Record shows the contents of an MFT record for a small file or folder. Small files and folders (typically, 900 bytes or smaller) are entirely contained within the file’s MFT record.

https://technet.microsoft.com/en-us/library/cc781134(WS.10).aspx

I created an example 1000-byte file with very minimal metadata that's stored completely in the MFT. But as soon as I added more metadata to the file (hard links, longer names, streams, permissions...) the maximum space that can accommodate the resident file quickly reduces

  • seems different file formats can have more bytes in the MFT than others then.. do SSDs with DRAZT or DRAT on trim command change any of the information stored in the MFT for those small files? – Jeff Mar 6 '17 at 1:32
  • I don't know about DRAZT or DRAT but SSDs will remap sectors and/or move data for wear levelling so all bets are off. I believe the secure cleaning on remapping will be handled by the SSD firmware so on top of the OS you just need to use a cleaning tool just like on HDD – phuclv Mar 6 '17 at 2:13

The MFT entry is 1024 bytes long (see the MFT section at http://www.cse.scu.edu/~tschwarz/coen252_07Fall/Lectures/NTFS.html) and stores more than just the filename - it also can include the file size, read/write permission, creation/modification date, and other meta-info. These items all have allocated sizes and this is why, in earlier versions of Windows, you could encounter an error if the filename was too long. This is also why you are unable to store files larger than 640 bytes entirely inside the table - the remaining 384 bytes (1024-640=384) were for the dedicated allocations.

It is useful to know that you computer has two identical MFT's, not one. The main is on the outer edge of the HDD, and the second one is located halfway in. The second one exists as a backup in case the main one is damaged, which can happen if the computer is shut off while an entry was being written or changed. Every MFT-cleaning program should delete from both tables (and the process is handled by the BIOS or the drive's firmware), but this is one thing to keep in mind if you want to take your data security to an extreme.

Also, the MFT row size CAN be varied, based on the drive (or partition) size and its intended purpose. Datacenters and servers are more likely to use a non-standard size, as the MFT allocation can be more than 10% of the HDD so the extra space becomes valuable. However, 1024 bytes is the standard.

Your Answer

By clicking "Post Your Answer", you acknowledge that you have read our updated terms of service, privacy policy and cookie policy, and that your continued use of the website is subject to these policies.

Not the answer you're looking for? Browse other questions tagged or ask your own question.