Skip main navigation


Article detailing an overview of NT File System $MFT file segment entry (record) attribute 0x10 $STANDARD_INFORMATION.
© PA Knowledge Ltd | 7Safe Training


The Standard Information attribute contains the files ownership information together with the files permissions and associated dates and times.

This attribute is known as a resident attribute meaning that all the relevant file information only resides within the attribute itself.

An example of a Standard Information attribute is detailed below:

Screenshot of $MFT file segment entry attribute 0x10.

File dates and times are commonly referred to within the forensic community as MAC times. This attribute contains what are known as primary MAC times an explanation of which are detailed in below:

Name Remarks
File Creation This date and time refers to when file commenced creation on the volume it resides.
File Modified This date and time refers to when the file content was last modified on a volume (not necessarily the volume it resides).
Record Changed This date and time refers to when the MFT record itself was last changed. This date and time field is not displayed to a user.
Last Accessed Time This date and time refers to when the file was last accessed by a process (computer or user). This function has been disabled post Windows XP.

Additional information…

As detailed, the attribute also contains any permissions applied to the file which are stored as flags. An example of what permissions are set is detailed below:

Screenshot of $MFT file segment entry flag permissions.

It can be seen that the only permission set is ‘Archive’. The value of this permission is 0x20.

A list of permission flags are detailed below:

Flag Value Description
0x0001 Read only
0x0002 Hidden
0x0004 System
0x0020 Archive
0x0040 Device
0x0080 Normal
0x0100 Temporary
0x0200 Sparse file
0x0400 Reparse point
0x0800 Compressed
0x1000 Offline
0x2000 Content not indexed
0x4000 Encrypted
© PA Knowledge Ltd | 7Safe Training
This article is from the free online

Introduction to Digital Forensics: Malware Analysis and Investigations

Created by
FutureLearn - Learning For Life

Our purpose is to transform access to education.

We offer a diverse selection of courses from leading universities and cultural institutions from around the world. These are delivered one step at a time, and are accessible on mobile, tablet and desktop, so you can fit learning around your life.

We believe learning should be an enjoyable, social experience, so our courses offer the opportunity to discuss what you’re learning with others as you go, helping you make fresh discoveries and form new ideas.
You can unlock new opportunities with unlimited access to hundreds of online short courses for a year by subscribing to our Unlimited package. Build your knowledge with top universities and organisations.

Learn more about how FutureLearn is transforming access to education