MFT Record Attributes
MFT Record Attributes
File metadata is stored within various attributes within each MFT record. Each attribute is uniquely identified by a header followed by attribute information. The number of attributes assigned to an MFT record depends on whether it pertains to a file or a directory and what additional metadata needs to be applied to that file or directory.
The following file attributes are of interest to the malware investigator:
| Attribute Header | Attribute Name |
| 0x10 | $STANDARD_INFORMATION |
| 0x30 | $FILE_NAME |
| 0x40 | $OBJECT_ID |
| 0x80 | $DATA |
A snippet of an MFT record containing the above attributes is detailed below:
The above MFT entry is displayed in hexadecimal format and these values are decoded and referenced in a template on the left together with an ASCII interpretation on the right.
Additional information…
Attribute headers will only start on an 8 byte boundary. A raw view of the above MFT entry without the use of templates is detailed below. See if you can identify the header and the 4 file attributes in question?
Interestingly you may have noted that the offset displayed in the above image is in an hexadecimal format whilst the templated view is displayed in a decimal format. The data relating to the actual MFT entry itself is of course identical.
Introduction to Digital Forensics: Malware Analysis and Investigations
Introduction to Digital Forensics: Malware Analysis and Investigations
Reach your personal and professional goals
Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.
Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.
