The following scenario demonstrates a potentially confusing situation you might face as an investigator. Knowing extensively the NFTS internals will help you to reach at valid conclusions.
Assume that you have located a deleted suspicious file called showme.jpg.exe relevant to your case in a NTFS formatted volume. You go to its $MFT record entry, you verify that metadata match and entry flag is unallocated. However, surprisingly you discover that there is only one $DATA resident attribute with content having
[ZoneTransfer]
ZoneId=3