Every NTFS file has a $DATA attribute that holds its contents. For most files, $DATA is non-resident — it points to a list of cluster runs elsewhere on the volume. But when a file is small enough, its bytes live inside the MFT record itself.
How small is small enough?
An MFT record is 1,024 bytes. Subtract the record header, $STANDARD_INFORMATION, at least one $FILE_NAME, and any other metadata, and you have roughly 700 bytes of usable space for $DATA.
Files smaller than that — config snippets, registry values, shortcut targets, batch scripts, certain log lines — frequently live entirely inside the MFT.
Why this matters
A resident $DATA attribute can be recovered without reading the rest of the disk. If you have a copy of $MFT, you already have:
- The full contents of small text files
- Lots of
$INDEX_ROOTdata for directories - Short alternate data streams
- Reparse points and symlink targets
That is a surprising amount of evidence inside a single 200 MB extract.
Resident does not mean stable
When a resident file grows beyond the record's free space, NTFS converts it to non-resident — the data moves out to clusters and $DATA becomes a runlist. The reverse can happen too: a file shrunk below the threshold may become resident again, though Windows rarely does this voluntarily.
In a triage, a file that was once large and is now resident is unusual. Worth a closer look.