Attribute 0x30 $FILE_NAME
Attribute 0x30 $FILE_NAME
The File Name attribute contains the actual file name itself together with the logical size (true size of file) and physical size (size of the file on the file system) of the file.
This attribute is known as a resident attribute meaning that all the relevant file information only resides within the attribute itself.
An example of a File Name attribute is detailed below:
Note this attribute also contains the files parent ID (the folder it resides in) and another set of dates and times referred to as the secondary MAC times which are not displayed to a user. On viewing the File Name attribute you will note the name of the file is ‘Autoruns.csv’.
Additional information…
The creation date and time of both the primary and secondary MAC times must always be identical. If the primary date different to the secondary date creation date is typical of a files dates and times being tampered with. The file will therefore require a closer inspection to determine its provenance.
Introduction to Digital Forensics: Malware Analysis and Investigations
Introduction to Digital Forensics: Malware Analysis and Investigations
Reach your personal and professional goals
Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.
Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.
