NTFS file system – storage and data recovery

In this article, we will analyze the main differences and key points of the file system and determine if it made sense to switch from FAT to NTFS.

Файловая система NTFS


  1. NTFS is a "new technology file system"
  2. Scalability
  3. Reliability
  4. Security
  5. NTFS compression technology
  6. Alternative data flows in NTFS
  7. Sparse files
  8. Reprocessing points

Before the mass distribution of Windows NT family operating systems (2000, XP, Vista, 7, 10, Server, etc.), most Microsoft products, as well as MS-DOS using the FAT file system, which was developed by B. Gates back in the mid-80s. FAT has proved itself as a reliable and proven file system (FS), but with the development of technology and increasing the amount of drives, Microsoft introduced NTFS – a new FS, which is actively used to date.

NTFS is a “new technology file system”

FAT FS was designed specifically for use with floppy disks, which have become a thing of the past with CDs and USB drives’ mass distribution. FAT is poorly suited for scaling, and the maximum file size of 4 gigabytes imposed many limitations. The outdated file system format did not have the required security features and did not allow for the recovery of deleted information. These reasons forced Microsoft to develop a new file system.

Interesting fact: as of 2016, only one factory in Taiwan is producing 3.5″ floppy diskettes.

During the development of NTFS, Microsoft used some of the developments and some of the existing FAT and HPFS (file system for the OS/2 operating system, which was developed by Microsoft together with IBM). After several years of active development, Microsoft introduced its new NTFS in Windows NT 3.1 – a specialized operating system for servers and workstations.

NTFS is an unusual file system, which is based on… files. Indeed, every element of NTFS is a file. Even the NTFS structure itself: its log, main file table (MFT), and other elements are built and oriented directly on files.

Let’s take a closer look at the main points and benefits of NTFS.


Microsoft was developing the NTFS at a time when the volume of 1 gigabyte was considered quite significant. However, the developers anticipated a powerful leap in digital technology, so the new file system was created “with reserve”. Thus, the maximum theoretical volume size is limited to 16 exabytes, about one million terabytes. At the moment, there is no storage medium for private use that comes at least a little closer to this mark. From this, we can conclude that NTFS has excellent scalability, which has significantly outpaced its time.

An interesting fact: one of the most voluminous and at the same time mobile drives is the storage based on the Snowmobile truck by Amazon. Its capacity is 100000 terabytes, and the storage device itself is transported in a sea container mounted on an 18-wheeled tractor. This solution is necessary for the fast transportation of oversized archives of companies, state corporations, and other institutions.


Reliability has never been a strength of the FAT file system. Due to its specific structure, even minor damage to the file location table can lead to the loss of a significant amount of information over time.

In NTFS, this problem has been offset by the introduction of shadow copies of the volume and automatic logging of the file system, where all records are captured. In the event of a failure, the System may turn to the journal entry and roll back all the uncommitted changes.

Simultaneously, the Shadow Copying feature shall recover the data and select the required overwritten versions of files (including system components, settings, software components, etc.) that can be recorded on a third party drive for convenience.


The FAT32 has no built-in security system. It lacks access control, system encryption, and level encryption with binding to a specific account.

NTFS has all the functions described above and also offers additional security features.

OS-level security includes access control lists that control each file’s permissions, folder, or another object. The lists specify which users or groups (local or network) can perform various manipulations on objects (read-only, modify, delete, no access, etc.).

It should be noted that such a security measure is not a hindrance to the recovery of lost information. For example, the RS NTFS Recovery utility perfectly fulfills its task, bypassing the file system’s permissions.

However, several other security measures in NTFS should be described in more detail

NTFS can perform encryption at the object level, allowing encrypting specific folders and files from other users on the same computer. The essence of this is that the selected files for encryption will be automatically decrypted at login with the right account. At the same time, for all others, the objects will remain inaccessible.

It is important to note that if a user loses data to access the account (the password can be reset by the computer administrator or changed by malware), it is likely that the files will remain locked without reading or unlock them.

It should be noted that encrypted files in NTFS retain their structure, so the deleted encrypted data can be recovered using RS Partition Recovery or RS NTFS Recovery, just like files that are not encrypted. The recovered files will also retain the encryption, which can be removed with the appropriate password.

Built-in NTFS encryption is great for protecting data at the system level (between users of the same PC). Still, for greater security, Windows has an additional BitLocker encryption system designed to encrypt entire logical partitions.

It allows secure use and operation of multiple users on one computer, as well as preventing offline attacks (for example, when an attacker extracts a hard drive with valuable information and tries to read it on another PC, the partitions will not be available until a special key is entered for decryption).

Important: Once the BitLocker key is entered, the encrypted partitions will be accessible to all PC users.

NTFS compression technology

Another feature of the NTFS file system is compressing the contents of files and folders to save space on the drive. This feature works fast enough and allows you to read individual pieces of data without unpacking the whole file.

The compressed file is perceived by the NTFS file system as ordinary information, so if the compressed data is lost, the user can use RS Partition Recovery or RS NTFS Recovery to restore the compressed information without any loss.

Alternative data flows in NTFS

NTFS implements support for alternative data streams, originally designed to ensure compatibility between different file systems.

At the moment, alternative data streams are used for security purposes, as this technology allows you to put “tags” on files from which the system can automatically detect potentially dangerous objects. Tags may contain data on the manufacturer or author of a file, as well as on its origin.

Besides, alternative flows may contain absolutely any files with almost any size, which may exceed a file’s size from the main thread. This possibility of alternative data flows a serious security hole, which is often used by malware developers. Fortunately, most modern antiviruses have reliable scanning systems, which also check information in alternative threads.

RS NTFS Recovery works with alternative data flows, so deleted files will save all the flows and their contents after recovery.

Sparse files

An unusual additional feature of NTFS is working with so-called “Sparse files”.

In sparse files, unused (empty) areas are represented as metadata, which does not take up physical space on the drive.

How is this useful? Let’s imagine a database that consists of one primary file of several terabytes. To create or save a file of this size on your hard drive, it may take the system a considerable amount of time to fill the unused disk space with zeros. This process can be greatly accelerated when using NTFS because the FS supports specifying empty areas as metadata references.

Reprocessing points

Reparse Points allows you to create hard or symbolic links in the NTFS file system, through which the user can perform various manipulations with data and its location. You can learn more about this feature in the article: “Symbolic and Hard Links in Windows“, which provides examples of their creation, as well as their main features.

It should be noted that RS NTFS Recovery, like other utilities from Recovery Software, perfectly cope with such data.

Frequently Asked Questions

Den Broosen

About Den Broosen

Author and site editor for RecoverySoftware. In his articles, he shares his experience of data recovery on a PC and the safe storage of information on hard drives and RAID arrays.
Leave a comment
Online Chat with Recovery Software