Attribute: resident unnamed
offset length description
Attribut: non-resident without name
offset |
length |
description |
offset |
length |
description |
22 |
6 |
2 byte compression and 4 byte padding |
Attribut: resident with name
offset length description
Attribut: non-resident with Name
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
offset |
|
length |
description |
|||||||||||||
0 |
|
4 |
|
|
Type (0x10, 0x30..) |
|||||||||||
4 |
|
4 |
|
|
Length of the attribute |
|||||||||||
8 |
|
1 |
|
|
non-resident Flag (0x00 |
|
resident; 0x01 non-resident) |
|||||||||
|
|
|||||||||||||||
9 |
1 |
|
|
Length of name (0x00 if no name-rule) |
||||||||||||
A |
2 |
|
|
Offset to the name (if no name = offset to the data portion) |
||||||||||||
C |
2 |
|
|
Compress Flag |
||||||||||||
E |
2 |
|
|
Identificator |
||||||||||||
offset |
|
length |
description |
|||||||||||||
10 |
8 |
|
|
Start VCN |
||||||||||||
18 |
8 |
|
|
Last VCN |
||||||||||||
20 |
2 |
|
|
Offset to DataRun |
||||||||||||
22 |
2 |
|
|
Compression |
||||||||||||
28 |
8 |
|
|
Physical size = multiple of the cluster size |
||||||||||||
30 |
8 |
|
|
Actual size |
||||||||||||
38 |
8 |
|
|
Actual Size, or uninitialized size |
||||||||||||
Standard Information Attribute
•Every MFT record contains a Standard Information Attribute
•It is always resident and has the identifier 10 00 00 00
•Within the attribute there are four date/time stamps, DOS file attributes, Owner and Security IDs
•The date/time stamps are in Windows 64 bit FILETIME format and are stored as UTC
37
Standard Information Attribute
Stream |
Size |
Description |
Offset |
(bytes) |
|
00 |
8 |
File Created Date/TimeStamp |
08 |
8 |
File Modified (Last Written) Date/TimeStamp |
16 |
8 |
Entry Modified Date/TimeStamp |
24 |
8 |
Last Accessed Date/TimeStamp |
32 |
4 |
DOS File Attributes |
36 |
4 |
Maximum Number of Versions- disabled 00 00 00 00 |
40 |
4 |
Version Number |
44 |
4 |
Class ID |
48 |
4 |
Owner ID |
52 |
4 |
Security ID |
56 |
8 |
Quota Data Size |
64 |
8 |
Update Sequence Number |
38
Standard Information Attribute
DOS Attributes
Flag |
Description |
01 00 00 00 |
Read Only |
02 00 00 00 |
Hidden |
04 00 00 00 |
System |
10 00 00 00 |
Directory |
20 00 00 00 |
Archive |
40 00 00 00 |
Device |
80 00 00 00 |
Normal |
Flag |
Description |
00 01 00 00 |
Temporary |
00 02 00 00 |
Sparse File |
00 04 00 00 |
Reparse Point |
00 08 00 00 |
Compressed |
00 10 00 00 |
Offline |
00 20 00 00 |
Not Content Indexed |
00 40 00 00 |
Encrypted |
39
Standard information attributes always resident
Attribut-Type (Std.) |
length of Attr. |
|
non-resident Flag |
Offset to the data |
|
portion |
||
|
Standard information attributes |
always resident |
Times UTC |
Flags |
Filename Attribute
•Every MFT record contains a Filename Attribute
•It is always resident and has the identifier 30 00 00 00
•Within the attribute there are four date/time stamps, DOS file attributes and the filename of course!
•NTFS supports filenames of up to 255 symbols
•A file may have more than one filename e.g. a file may have a DOS compliant 8.3 style short filename
•Short filenames are stored as another Filename Attribute within the MFT record
42
|
|
Filename Attribute |
Stream |
Size |
Description |
Offset |
(bytes) |
|
00 |
6 |
Parent Directory Reference (File Ref. No. of Parent Directory) |
06 |
2 |
Sequence Number (from Parent MFT Record Header) |
08 |
8 |
File Created Date/Time Stamp |
16 |
8 |
File Modified (Last Written) Date/Time Stamp |
24 |
8 |
Entry Modified Date/Time Stamp |
32 |
8 |
Last Accessed Date/Time Stamp |
40 |
8 |
Physical File Size |
48 |
8 |
Logical File Size |
56 |
4 |
DOS File Attributes |
60 |
4 |
Extended Attributes/Reparse |
64 |
1 |
Number of symbols in filename |
65 |
1 |
Namespace Type (00-Posix 01-Win32 02-DOS Short File Name |
03-Win32/Dos are the same and only one Filename Attribute needed) |
||
66 |
L |
Filename (Unicode) |
43