Final answer:
To tell if an MFT entry contains actual data, check its Data Attribute, which indicates if the data is resident (stored within the MFT entry) or non-resident (pointers to data location on disk). The 'real size' of the data should also be greater than zero to suggest the entry contains actual data.
Step-by-step explanation:
To determine if an MFT (Master File Table) entry in the NTFS file system contains actual data, you need to examine specific metadata associated with the file entry. The MFT contains entries for each file and directory on an NTFS volume. Each MFT entry includes attributes that describe the file or directory, such as its name, timestamp, and data attributes.
A key attribute to look for is the Data Attribute, which specifies whether the file has data associated with it. If the Data Attribute is non-resident, it means the data is not stored within the MFT entry itself, but somewhere else on the disk, and the MFT entry will contain pointers to the data's actual location. In contrast, a resident Data Attribute indicates that the file's data is small enough to be stored directly within the MFT entry itself.
Additionally, the size of the data can be a hint. If the 'real size' (actual size of the data) listed in the entry is greater than zero, that suggests the presence of actual data linked to that MFT entry. Conversely, if this value is zero, it may indicate an empty file with no data or a system metadata file that does not contain user data.