Skip main navigation

Attribute 0x30 $FILE_NAME

Article detailing an overview of NT File System $MFT file segment entry (record) attribute 0x30 $FILE_NAME.
© PA Knowledge Ltd | 7Safe Training

Attribute 0x30 $FILE_NAME

The File Name attribute contains the actual file name itself together with the logical size (true size of file) and physical size (size of the file on the file system) of the file.

This attribute is known as a resident attribute meaning that all the relevant file information only resides within the attribute itself.

An example of a File Name attribute is detailed below:

Screenshot of $MFT file segment entry attribute 0x30.

Note this attribute also contains the files parent ID (the folder it resides in) and another set of dates and times referred to as the secondary MAC times which are not displayed to a user. On viewing the File Name attribute you will note the name of the file is ‘Autoruns.csv’.

Additional information…

The creation date and time of both the primary and secondary MAC times must always be identical. If the primary date different to the secondary date creation date is typical of a files dates and times being tampered with. The file will therefore require a closer inspection to determine its provenance.

© PA Knowledge Ltd | 7Safe Training
This article is from the free online

Introduction to Digital Forensics: Malware Analysis and Investigations

Created by
FutureLearn - Learning For Life

Reach your personal and professional goals

Unlock access to hundreds of expert online courses and degrees from top universities and educators to gain accredited qualifications and professional CV-building certificates.

Join over 18 million learners to launch, switch or build upon your career, all at your own pace, across a wide range of topic areas.

Start Learning now