How many MFT entries are overwritten by writing to NTFS disk one single very large file?

Question

From Windows (either 10 or 11, but it probably doesn't matter) I moved all files from an NTFS partition of my internal hard drive to an external HDD. After this I wrote one extremely large file to the partition of my internal hard drive, then deleted such large file. I powered off my computer and never turned on again. Then the external HDD broke. I am only interested in the directory tree (especially file names) of my files, not on the contents. Is this essentially completely recoverable (via MFT entries), and are there any GNU/Linux tools for reading such MFT table?

Because there was probably just one MFT entry corresponding to my added large file (https://stackoverflow.com/questions/11619921/can-a-short-file-uses-more-mft-records-than-a-longer-file) and it seems like the space for MFT entries of deleted files is not reclaimed as disk space, then I would that I may recover filenames for all my files except for one (if the MFT entry of my large file overwrote an MFT entry which was previously in use), give or take few temp files involved in the shutdown process of Windows. Am I correct?

Answer 1

The $MFT is a "database" of 1 KB records. For each file on the NTFS drive at least one record is used. A highly fragmented file could use more than 1 record.

Assume the current $MFT is 100000 records (* 1024 bytes) in size. You delete 10000 files. Now the records for each of these files is flagged 'free' or 'not in use'. But we still have a $MFT of 100000 records.

You now create this huge file, we'll assume it's contiguous. So this file requires exactly 1 record. So theoretically you can still find records for all 10000 files (minus 1) you deleted previously.

I would that I may recover filenames for all my files except for one

While the 10000 files you deleted (or moved to other drive, does not matter, the file system treats them as 'deleted') may no longer be recoverable because clusters allocated to the files may have been partially overwritten by the huge file you copied to the drive later, the file names I suspect not to be a problem.

The huge file impacts free space inside the partition, it hardly has impact on the $MFT. It's just one file and it requires one record (unless severely fragmented).