Offset/Purpose
0-3 Signature: ether FILE or BAAD, which denotes a bad entry.
4-5 Offset to fixup array
6-7 Number of entries in fixup array
8-15 $LogFile sequence number
16-17 Sequence value
18-19 Link count
20-21 Offset to first attribute
22-23 Flags:
0x00 not in use
0x01 in use
0x02 directory
0x03 directory in use
-
Deleting a file changes the flag to 0x00, but does nothing to clear out the data, thus many deleted file's metadata is still recoverable as long as the record hasn't been recycled.
24-27 Used size of MFT entry
28-31 Allocated size of MFT entry
32-39 File reference to base record
40-41 Next attribute identifier
42-1,023 Attributes and fixup values
Difference between NTFS 3.1 and previous NTFS versions is the inclusion of the record number at offset 0x2C. Due to this change, the byte after the word 'FILE' changes the ASCII letter from asterisk "*" to zero "0".