Short answer: Deleted files on NTFS can usually be recovered until their MFT record slot is reused and their data clusters are overwritten. For small files, the contents often sit inside the MFT record itself and survive even when the clusters are gone. The reliable workflow is: stop using the volume, image it, then either replay the MFT with a forensic parser or carve the disk for FILE signatures.
Why deletion does not erase
When Windows deletes a file from an NTFS volume, three things happen and one thing does not:
- The in-use flag in the file's MFT record is cleared.
- The clusters that held the file's data are marked free in
$Bitmap. - The parent directory's index entry is removed.
What does not happen: nothing actually overwrites the record or the clusters. They are simply marked as available for the next allocation. Until something else claims them, the file is recoverable. See what survives when you delete a file on NTFS for the field-by-field detail.
Step 1: stop writing to the volume
Every write you make on the volume risks reusing the deleted record's slot or its data clusters. If the file matters:
- Stop the application that touched it.
- If the file lived on the system drive and the system is still running, the OS itself is constantly writing. Power down or boot from external media.
- For an external drive, unmount immediately.
Step 2: image the disk
Work on a copy, never the original. The standard options:
- FTK Imager — free, GUI, produces
.ddor.E01images. Hashes the source during read. ddon Linux/macOS — bit-for-bit copy.dd if=/dev/sdX of=disk.img bs=4M conv=noerror,sync status=progress.ddrescue— slower, but tolerates read errors on failing drives.
Hash the image (SHA-256) immediately after acquisition. Every later step works against the image.
Step 3: recover with one of three approaches
MFT replay — parse $MFT (extract it from the image, or read it in place) with a tool that lists deleted records. The deleted file's name, timestamps, and (for small files) data are recoverable from the record itself.
- MFTECmd lists deleted records and tags resident data.
- The browser parser on this site filters to deleted entries with one click and lets you export their metadata to CSV.
File-system-aware recovery tools — these read the live filesystem (or image) and present deleted files for selective restore:
- R-Studio — commercial, the analyst's pick for NTFS. Handles complex damage.
- TestDisk + PhotoRec — free, mature, good for partition damage and signature carving.
- Recuva — consumer-grade but fine for single-drive single-file recoveries.
Signature carving — when the MFT is gone, scalpel, foremost, or PhotoRec scan the raw image for known file signatures (JPEG FF D8 FF, PNG 89 50 4E 47, ZIP 50 4B 03 04, and so on) and reassemble what they find. Carved files lose their filenames and timestamps — those lived in the MFT — but the bytes themselves come back.
What is genuinely unrecoverable?
- Overwritten clusters. Modern HDDs offer no realistic path to recover data that has been written over once. The fanciful "remnant magnetisation" recovery from older forensics literature does not apply to drives manufactured this decade.
- SSD blocks reclaimed by TRIM. Once the SSD controller has TRIM'd a block, the underlying flash is zeroed during garbage collection. The data is gone, fast.
- Encrypted volumes without the key. BitLocker, VeraCrypt, or LUKS-encrypted NTFS volumes are unrecoverable without the recovery key — the cleartext never touched the disk in the first place.
When MFT recovery is the only option
If the file was a small text file, a small JSON config, or a small script, the data was probably resident — stored inline inside the MFT record rather than in separate clusters. Even if $Bitmap has been overwritten dozens of times, the resident bytes still sit in the record until the slot is reused. See resident data.
For these files, the browser parser is often the fastest path: drop the $MFT you exported, filter to deleted entries, look for records with resident $DATA, and copy the bytes back out.
Frequently asked questions
How long do deleted files stay recoverable on NTFS?
Until the MFT slot is reused and the data clusters are overwritten. On a busy system this is hours. On an idle system it can be months. There is no fixed timer.
Does emptying the Recycle Bin make recovery harder?
No. The Recycle Bin is just a hidden directory ($Recycle.Bin) on each volume. "Emptying" deletes the files normally — the same recovery techniques apply.
Can I recover files deleted with del /F or shift+delete?
Yes — these skip the Recycle Bin but delete the same way. The MFT record is still there until reused.
Can I recover files from a formatted NTFS drive?
Quick format only rewrites the boot sector and a fresh $MFT. Most of the old data clusters are intact and so are many of the previous MFT records (NTFS reuses the same starting offset). Signature carving recovers a lot. Full format zeroes the volume — that data is gone.