Attribute 0x80 $DATA

Attribute 0x80 $DATA

The purpose of the data attribute is to point to where the content of a file is located.

This attribute can be either a resident attribute or a non-resident attribute. This actually depends on the size of the file content. If the size of the content is small enough it will be stored within the attribute itself otherwise it will be saved out to the file system.

An example of a data attribute is detailed below:

The information about where the file content is located is contained within the attribute header and is referred to as a ‘data run’. The data run indicates the size of the data, it points to the starting cluster and how many clusters are in use.

The attribute body itself does not ordinarily contain any other file related metadata! The exceptions are where data has been saved to the attribute itself (not discussed in this course) or if it contains the name of an alternate data stream.

A named stream or alternate data stream is simply the addition of another data attribute. This additional data stream is differentiated from the default data attribute in that it will have a name (hence the term named stream). In order to access the content of a named stream the stream name needs to be called.

Let’s now attach a named stream called ‘TestStream.txt’ to a copy of the above ‘Autoruns.csv’ file.

It can be seen that there is now another Data attribute present. The name of this additional Data attribute is ‘TestStream.txt’ and contains the textural content “This is ADS data!” Note the textual content in question is contained within the attribute itself.

You will also note that there are 2 File Name attributes present. This is because the file name now exceeds 8 characters. Files with names of 8 characters or less will only have one File Name attribute whereas files with names of more than 8 characters will have 2 File Name attributes. One attribute will contain the short file name also referred to as an 8.3 file name and the other will contain the long file name.

Examples of file naming conventions are detailed below:

Additional information…

A file can have more than 1 named stream. In fact files can have many named streams although the actual number of named streams is not documented by Microsoft. Interestingly the maximum number of attributes an MFT record can hold is 65,536. When additional space is required to store additional attribute information, an attribute called $20 ATTRIBUTE_LIST is added to the entry. This attribute can either be resident or non-resident and essentially points to another MFT record (or records) which stores that additional attribute information. The maximum size of the attribute in question is 256 KB therefore any named stream limitation is determined by how much information can be stored within this attribute. The main limiting factor will therefore be the length of the stream names.

A legacy technical Microsoft blog (although still relevant) on MFT record growth is available here.