Learn more about this course.

Attribute 0x10 $STANDARD_INFORMATION

Article detailing an overview of NT File System $MFT file segment entry (record) attribute 0x10 $STANDARD_INFORMATION.

Attribute 0x10 STANDARD_INFORMATION

The Standard Information attribute contains the files ownership information together with the files permissions and associated dates and times.

This attribute is known as a resident attribute meaning that all the relevant file information only resides within the attribute itself.

An example of a Standard Information attribute is detailed below:

Want to keep
learning?

This content is taken from
PA Consulting online course,

Introduction to Digital Forensics: Malware Analysis and Investigations

View Course

Screenshot of $MFT file segment entry attribute 0x10.

File dates and times are commonly referred to within the forensic community as MAC times. This attribute contains what are known as primary MAC times an explanation of which are detailed in below:

Name	Remarks
File Creation	This date and time refers to when file commenced creation on the volume it resides.
File Modified	This date and time refers to when the file content was last modified on a volume (not necessarily the volume it resides).
Record Changed	This date and time refers to when the MFT record itself was last changed. This date and time field is not displayed to a user.
Last Accessed Time	This date and time refers to when the file was last accessed by a process (computer or user). This function has been disabled post Windows XP.

Additional information…

As detailed, the attribute also contains any permissions applied to the file which are stored as flags. An example of what permissions are set is detailed below:

Screenshot of $MFT file segment entry flag permissions.

It can be seen that the only permission set is ‘Archive’. The value of this permission is 0x20.

A list of permission flags are detailed below:

Flag Value	Description
0x0001	Read only
0x0002	Hidden
0x0004	System
0x0020	Archive
0x0040	Device
0x0080	Normal
0x0100	Temporary
0x0200	Sparse file
0x0400	Reparse point
0x0800	Compressed
0x1000	Offline
0x2000	Content not indexed
0x4000	Encrypted

Want to keep learning?

This content is taken from PA Consulting online course

Introduction to Digital Forensics: Malware Analysis and Investigations

View Course

See other articles from this course

This article is from the free online

Introduction to Digital Forensics: Malware Analysis and Investigations

Created by

Join Now

Reach your personal and professional goals

Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.

Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.

Start Learning now

Learn more about this course.

Attribute 0x10 $STANDARD_INFORMATION

Want to keep
learning?

Introduction to Digital Forensics: Malware Analysis and Investigations

Want to keep learning?

Introduction to Digital Forensics: Malware Analysis and Investigations

Introduction to Digital Forensics: Malware Analysis and Investigations

Introduction to Digital Forensics: Malware Analysis and Investigations

Reach your personal and professional goals

Register to receive updates

Learn more about this course.

Learn more about this course.

See all FutureLearn courses.

Learn more about this course.

Attribute 0x10 $STANDARD_INFORMATION

Want to keep learning?

Introduction to Digital Forensics: Malware Analysis and Investigations

Want to keep learning?

Introduction to Digital Forensics: Malware Analysis and Investigations

Share this

Introduction to Digital Forensics: Malware Analysis and Investigations

Introduction to Digital Forensics: Malware Analysis and Investigations

Reach your personal and professional goals

Register to receive updates

Learn more about this course.

Learn more about this course.

See all FutureLearn courses.

Want to keep
learning?