Most file systems treat metadata and data as fundamentally different entities—metadata in special structures, data in allocated blocks. NTFS takes a more unified approach: both metadata and small file data can reside directly within MFT records. This design decision—resident attributes—is central to NTFS's efficiency and elegance.

When you create a tiny text file or a Windows shortcut (.lnk), the file's entire contents may never touch the volume's data clusters. Instead, everything—timestamps, permissions, filename, AND the actual data—lives within a single MFT record. This locality has profound implications for performance, fragmentation, and even forensic analysis.

What Makes an Attribute Resident?

An attribute is resident when its data is stored directly within the attribute's MFT record entry, immediately following the attribute header. No external clusters are allocated; no data runs are needed. The attribute is self-contained.

Resident Attribute Layout:

+----------------------------+
| Common Attribute Header    |  14 bytes
|   Type, Length, Flags...   |
+----------------------------+
| Resident Header            |  8 bytes
|   Content Length (4)       |
|   Content Offset (2)       |
|   Indexed Flag (1)         |
|   Padding (1)              |
+----------------------------+
| [Attribute Name if any]    |  Variable
+----------------------------+
| CONTENT DATA               |  Variable (within record limits)
+----------------------------+

The Resident Header Fields:

• Content Length: Size of the actual attribute data in bytes
• Content Offset: Byte offset from the attribute start to the content
• Indexed Flag: Whether this attribute is indexed (e.g., $FILE_NAME in directory indices)

Why Resident Storage Matters:

1. Single I/O Operation: Reading a resident file requires only one MFT record read
2. No Fragmentation: Resident data cannot fragment—it's in the MFT
3. Atomic Metadata Access: All file properties and small data are co-located
4. Space Efficiency: Avoids cluster allocation overhead for tiny files

Certain NTFS attributes are always resident by design. They contain critical metadata that must be immediately accessible when reading an MFT record.

$STANDARD_INFORMATION (Type 0x10):

Every file and directory has exactly one $STANDARD_INFORMATION attribute, always resident. It contains:

Offset   Size    Field
0x00     8       Creation Time
0x08     8       Modification Time
0x10     8       MFT Record Change Time
0x18     8       Access Time
0x20     4       File Attributes (DOS flags)
0x24     4       Maximum Versions
0x28     4       Version Number
0x2C     4       Class ID
--- NTFS 3.0+ extended fields ---
0x30     4       Owner ID
0x34     4       Security ID
0x38     8       Quota Charged
0x40     8       Update Sequence Number (USN)

Time Stamps:

NTFS stores timestamps as 64-bit values representing 100-nanosecond intervals since January 1, 1601 (UTC). This is Windows FILETIME format:

// Convert FILETIME to human-readable
void filetime_to_string(int64_t ft, char *buffer) {
    // FILETIME is 100ns intervals since 1601-01-01
    // Unix epoch (1970-01-01) = 116444736000000000 * 100ns
    time_t unix_time = (ft - 116444736000000000LL) / 10000000LL;
    strftime(buffer, 32, "%Y-%m-%d %H:%M:%S", gmtime(&unix_time));
}

File Attributes (DOS Flags):

The attributes field contains traditional DOS flags plus NTFS additions:

The $FILE_NAME attribute (Type 0x30) is always resident and contains the file's name, parent directory reference, and a copy of key timestamps. A file may have multiple $FILE_NAME attributes:

• Win32 name: The full Windows filename
• DOS name: The 8.3 short name (if enabled and different)
• POSIX name: Case-sensitive name (rarely used)
• Additional hard links: Each hard link adds a $FILE_NAME

$FILE_NAME Structure:

Offset   Size    Field
0x00     8       Parent Directory MFT Reference
0x08     8       Creation Time
0x10     8       Modification Time
0x18     8       MFT Record Change Time
0x20     8       Access Time
0x28     8       Allocated Size (disk space)
0x30     8       Data Size (actual size)
0x38     4       Flags
0x3C     4       Reparse Tag (if reparse point)
0x40     1       Name Length (characters)
0x41     1       Name Type (namespace)
0x42     var     Filename (UTF-16LE)

Name Types (Namespaces):

Why Two Sets of Timestamps?

Both $STANDARD_INFORMATION and $FILE_NAME contain timestamps. Why?

1. $STANDARD_INFORMATION timestamps: Updated by file operations (write, attribute changes). These are the 'real' file times.

2. $FILE_NAME timestamps: Updated only when the filename is modified (renamed). These are the times shown in directory listings.

This distinction is important for forensics: malware might modify $SI timestamps to hide activity, but $FN timestamps in directory entries may still reveal the truth.

Example: File with Multiple $FILE_NAME Attributes:

File: "MyDocument.txt"
MFT Record 1234:

$STANDARD_INFORMATION (1 instance)
    Creation: 2024-01-15 10:30:00
    Modified: 2024-01-20 14:22:00
    
$FILE_NAME #1 (Win32)
    Parent: MFT Ref 5 (root directory)
    Name: "MyDocument.txt"
    Namespace: Win32 (1)
    
$FILE_NAME #2 (DOS)
    Parent: MFT Ref 5 (root directory)
    Name: "MYDOCU~1.TXT"
    Namespace: DOS (2)
    
$DATA (unnamed)
    Size: 156 bytes (resident)

NTFS's ability to store $DATA attributes as resident enables a crucial optimization: small files require no cluster allocation. This is particularly significant for systems with millions of small files.

Resident $DATA Threshold:

The maximum resident $DATA size depends on:

• MFT record size (typically 1024 bytes)
• Space consumed by required attributes
• Filename length

Typical available space for resident $DATA:

MFT Record:           1024 bytes
- Header:              ~48 bytes
- $STANDARD_INFO:      ~72 bytes  
- $FILE_NAME (Win32):  ~90 bytes (assuming 20-char name)
- $FILE_NAME (DOS):    ~76 bytes
- End marker:           ~8 bytes
----------------------------
Remaining for $DATA:  ~730 bytes

Files up to approximately 700-750 bytes can be fully resident (varies with filename length).

Performance Benefits:

Real-World Impact:

Consider a code repository with 50,000 files where 60% are under 700 bytes (source files, configuration, scripts):

• 30,000 files are fully resident
• Directory listing (stat calls) requires only MFT reads
• No separate data cluster I/O for these files
• Full text search can scan MFT sequentially

This explains why NTFS handles large numbers of small files more efficiently than file systems that always allocate external blocks.

Transition Mechanics:

When a resident file grows beyond the threshold:

1. NTFS allocates cluster(s) from free space
2. The resident data is copied to the allocated clusters
3. The $DATA attribute is converted to non-resident format
4. Data runs are written to describe the new location

When a non-resident file shrinks below the threshold:

1. If the remaining data fits in the MFT record, NTFS may convert it back to resident
2. This isn't guaranteed—NTFS may leave it non-resident for efficiency
3. The compact command or defragmentation can force reconversion

Beyond $STANDARD_INFORMATION and $FILE_NAME, several other attributes are typically or always resident:

$OBJECT_ID (Type 0x40) — Always Resident

A 64-byte attribute containing:

• Object ID (16 bytes): GUID uniquely identifying this file
• Birth Volume ID (16 bytes): GUID of volume where file was created
• Birth Object ID (16 bytes): Original Object ID
• Domain ID (16 bytes): Reserved

Object IDs enable file tracking across renames and moves. The Distributed Link Tracking service uses these to update shortcuts when target files move.

$VOLUME_NAME (Type 0x60) — Always Resident

Found only in $Volume (MFT record 3). Contains the volume label as a Unicode string.

$VOLUME_INFORMATION (Type 0x70) — Always Resident

Also only in $Volume. Contains:

• Reserved (8 bytes)
• Major Version (1 byte): e.g., 3
• Minor Version (1 byte): e.g., 1 = NTFS 3.1
• Flags (2 bytes): DIRTY_FLAG, RESIZE_LOG_FILE, etc.

$INDEX_ROOT (Type 0x90) — Always Resident

The root of a B+ tree index, always stored in the MFT record. For directories, this is the $I30 index (index of $FILE_NAME attributes). Contains:

• Index header
• Collation rule
• Index entries (if small enough)
• Or just the root node pointing to $INDEX_ALLOCATION for large directories

Some resident attributes participate in NTFS's B+ tree indexing system. The Indexed Flag in the resident attribute header indicates whether an attribute is indexed.

The Indexed Flag:

In the resident attribute header, byte 0x16 (the indexed_flag field) indicates:

• 0: Not indexed
• 1: Indexed by the parent directory (or another index)

$FILE_NAME and Directory Indices:

The primary use of indexed attributes is directory organization. Each directory has an index named $I30 (for $INDEX_ALLOCATION, type 0x30 = $FILE_NAME). This index is a B+ tree containing references to files in that directory.

Each $FILE_NAME attribute in a file's MFT record has its indexed flag set to 1 (if the file is in a directory). The corresponding directory's $I30 index contains an entry for this filename.

Index Structure:

Directory MFT Record:
├── $STANDARD_INFORMATION
├── $FILE_NAME
├── $INDEX_ROOT (name="$I30")
│   └── Contains index entries for small directories
└── $INDEX_ALLOCATION (name="$I30") [if directory is large]
    └── B+ tree nodes on allocated clusters

Index Entry Format:

+------------------------+
| File Reference (8)     |  MFT reference to the file
+------------------------+
| Entry Length (2)       |  Total length of this entry
+------------------------+
| Attr Value Length (2)  |  Length of indexed attribute
+------------------------+
| Flags (4)              |  INDEX_ENTRY_NODE, INDEX_ENTRY_END
+------------------------+
| [Indexed Attribute     |  Copy of $FILE_NAME for file
|  value (variable)]     |
+------------------------+
| [Sub-node VCN (8)]     |  Only if INDEX_ENTRY_NODE flag set
+------------------------+

Resident attributes have significant implications for digital forensics and data recovery. Understanding these characteristics is essential for security professionals and incident responders.

Deleted File Recovery:

When a file is deleted:

1. The MFT record is marked as "not in use" (flag cleared)
2. The filename is removed from the parent directory's index
3. The record's sequence number is incremented
4. The MFT record contents are NOT zeroed

For resident files, this means:

• The complete file data remains in the MFT record
• All metadata ($SI, $FN) is intact
• Recovery is possible until the MFT record is reused

MFT records are typically reused in order (though not strictly FIFO), so a deleted resident file often survives longer than deleted non-resident data, which can be overwritten by any file operation allocating clusters.

Timestamp Discrepancies:

As mentioned earlier, $STANDARD_INFORMATION and $FILE_NAME contain separate timestamps:

• $SI timestamps: Updated by normal operations (CreateFile, WriteFile)
• $FN timestamps: Updated only when filename changes

Malware or anti-forensics tools often modify $SI timestamps to hide activity. But they frequently forget to also modify $FN timestamps. This discrepancy (called 'time stomping detection') can reveal:

• Files that have been backdated
• Recently created files disguised as old
• Evidence of malicious timeline manipulation

Resident attributes significantly impact NTFS performance. Understanding these effects helps system administrators and developers optimize their workloads.

MFT as Performance Critical Path:

Every file operation begins with an MFT lookup. Resident attributes determine how much information is immediately available:

Operation: GetFileAttributes("C:\config.ini")

If config.ini is resident:
1. Locate directory's MFT record
2. Search $I30 index for "config.ini"
3. Read file's MFT record
4. Return $STANDARD_INFORMATION attributes
→ 2-3 MFT reads total

If file is non-resident:
→ Same 2-3 MFT reads (attributes come from resident $SI)

// The difference comes with GetFileTime + ReadFile:

If data is resident:
→ 2-3 MFT reads (everything in MFT record)

If data is non-resident:
→ 2-3 MFT reads + 1-N data cluster reads

MFT Caching:

Windows aggressively caches MFT records in memory. The file system cache keeps frequently accessed MFT records resident, making repeated access to small files extremely fast. This is why listing directories with many small files can be faster than you'd expect.

Impact of Filename Length:

Longer filenames consume more space in MFT records, leaving less room for resident $DATA:

• Short name (8 chars): ~70 bytes for $FILE_NAME
• Medium name (50 chars): ~130 bytes
• Maximum name (255 chars): ~580 bytes

With a 255-character filename plus Win32+DOS names, almost no space remains for resident data. This is another reason to prefer reasonable filename lengths.

We've explored NTFS resident attributes in depth—the attributes that live entirely within MFT records. Let's consolidate our understanding:

What's Next:

Now that we understand the MFT and resident attributes, we'll explore the NTFS Change Journal ($UsnJrnl)—a powerful feature that tracks all file system modifications. The Change Journal enables applications like search indexers, backup software, and security tools to efficiently detect changes without scanning the entire volume.