Deleted File Recovery and NTFS File Types

NTFS File Types

NTFS File Attributes

The NTFS file system views each file (or folder) as a set of file attributes. Elements such as the file's name, its security information, and even its data, are all file attributes. Each attribute is identified by an attribute type code and, optionally, an attribute name.

When a file's attributes can fit within the MFT file record, they are called resident attributes. For example, information such as filename and time stamp are always included in the MFT file record. When all of the information for a file is too large to fit in the MFT file record, some of its attributes are nonresident.

The nonresident attributes are allocated in one or more clusters of disk space stored elsewhere in the volume. NTFS creates the Attribute List attribute to describe the location of all of the attribute records.

The next table lists all of the file attributes currently defined by the NTFS file system. This list is expandable, meaning that other file attributes can be defined in the future.

Attribute Type Description
Standard Information Includes information such as timestamp and link count.
Attribute List Lists the location of all attribute records that do not fit in the MFT record.
File Name A repeatable attribute for both long and short file names. The long name of the file can be up to 255 Unicode characters. The short name is the 8.3, case-insensitive name for the file. Additional names, or hard links, required by POSIX can be included as additional file name attributes.
Security Descriptor Describes who owns the file and who can access it.
Data Contains file data. NTFS allows multiple data attributes per file. Each file typically has one unnamed data attribute. A file can also have one or more named data attributes, each using a particular syntax.
Object ID A volume-unique file identifier. Used by the distributed link tracking service. Not all files have object identifiers.
Logged Tool Stream Similar to a data stream, but operations are logged to the NTFS log file just like NTFS metadata changes. This is used by EFS.
Reparse Point Used for volume mount points. They are also used by Installable File System (IFS) filter drivers to mark certain files as special to that driver.
Index Root Used to implement folders and other indexes.
Index Allocation Used to implement folders and other indexes.
Bitmap Used to implement folders and other indexes.
Volume Information Used only in the $Volume system file. Contains the volume version.
Volume Name Used only in the $Volume system file. Contains the volume label.