# MFT Record Attributes

Article detailing an overview of NT File System $MFT file segment entry (record) attributes of interest to the Malware Investigator. © PA Knowledge Ltd | 7Safe Training MFT Record Attributes File metadata is stored within various attributes within each MFT record. Each attribute is uniquely identified by a header followed by attribute information. The number of attributes assigned to an MFT record depends on whether it pertains to a file or a directory and what additional metadata needs to be applied to that file or directory. The following file attributes are of interest to the malware investigator:  Attribute Header Attribute Name 0x10$STANDARD_INFORMATION 0x30 $FILE_NAME 0x40$OBJECT_ID 0x80 \$DATA

A snippet of an MFT record containing the above attributes is detailed below:

The above MFT entry is displayed in hexadecimal format and these values are decoded and referenced in a template on the left together with an ASCII interpretation on the right.

Attribute headers will only start on an 8 byte boundary. A raw view of the above MFT entry without the use of templates is detailed below. See if you can identify the header and the 4 file attributes in question?

Interestingly you may have noted that the offset displayed in the above image is in an hexadecimal format whilst the templated view is displayed in a decimal format. The data relating to the actual MFT entry itself is of course identical.

© PA Knowledge Ltd | 7Safe Training