On NTFS, deletion is not erasure. When a file is deleted, the operating system flips a single bit in the file's MFT record — the in-use flag in the entry header — and updates the parent directory index. The rest of the record stays exactly as it was.
What is still there
A deleted MFT record typically retains:
$STANDARD_INFORMATION— all four timestamps, file flags, security ID$FILE_NAME— original filename, parent directory reference, logical and physical sizes$DATA— for small files, the entire contents (resident); for large files, the runlist pointing to clusters that may not yet be overwritten
You can list deleted files in order by record number and reconstruct most of a deleted file's identity from $MFT alone.
When does it actually go away?
A deleted record persists until NTFS needs the slot for a new file. The next time a file is created, the system may reuse the oldest unused slot. On a busy volume, deleted records are reclaimed within hours. On a less active system they can survive for months.
The MFT itself only grows; it never shrinks. That is what makes it such a rich forensic artifact.
Cross-reference for a complete picture
$MFT shows what records exist. $UsnJrnl (the Update Sequence Number Journal) shows what happened to them — including the delete events that flipped the in-use bit. $LogFile adds yet another layer of transaction history.
A triage that walks all three together can often reconstruct not just what was deleted, but when and in what order. The parser on this site reads $MFT. The other two journals are excellent follow-up targets.