MFT Standard attribute data structure for the NTFS file system

Source: Internet
Author: User

The standard property of the MFT is the 0x10 property, which is a resident property. Because the type value of the Standard property is 0x10, the standard attribute is always the first property of the file or directory.

This standard property contains time-date attributes, divided into creation time, modification time, MFT change time, and last access time of the file. This standard property can also indicate whether a file is read-only, whether it is a system file, a compression, or a cryptographic property. The following table is the data structure of the standard attribute body

Offset byte (16 binary) Describe
00-07 Creation time
08-0f Last Modified Time
10-17 MFT Change Time
18-1f Last file access time
20-23

Sign

0x01: Read only; 0x02: hidden; 0x04: System;

0x20: archive; 0x40: equipment; 0x80: General;

0x100: temporary; 0x200: sparse; 0x400: reparse point;

0x800: Compress; 0x1000: Offline; 0x4000: Encryption

24-27 Maximum version number
28-2b Version number
2c-2f Category ID
30-47 No meaning

is the standard attribute seen by the MFT in the Winhex

650) this.width=650; "src=" Http://s1.51cto.com/wyfs02/M02/83/F9/wKiom1eCOqOSzY5fAAdWKMZ2Ruw141.jpg "title=" Standard properties. jpg "alt=" wkiom1ecoqoszy5faadwkmz2ruw141.jpg "/>

You can see that the standard attribute is a resident property, and the data structure of its property header is described in the previous chapters.

Attribute Head Split

0X00-0X03 10 00 00 00: Attribute type is 0x10 description is a standard property

0X04-0X07 60 00 00 00: Indicates that the standard attribute has 0x60 bytes, which is 90 bytes

0x08-0x08 00:00 indicates that this property is a resident property

0x09-0x09 00: Indicates a property name length of 0, which means that there is no property name

0x0a-0x0b 18 00: Indicates the attribute property name length, which is meaningless because it was previously known that there is no property name.

0x0c-0x0d 00 00: Indicates no special attributes

0x0e-0x0f 00 00: Attribute ID

0x10-0x13 48 00 00 00: Indicates that the size of the property body is 0x48 bytes

0x14-0x15 18 00: Indicates that the property header size is 0x18 bytes

Here is the part of the property body, starting with the 0x18 offset

0x18-0x1f:49 BF CE D1 01 file creation time

0x20-0x27:49 BF CE D1 01 Last modified

0x28-0x2f:49 BF, CE, D1, MFT change time

0x30-0x37:49 BF CE D1 01 last access time

0x38-0x3b:06 00 00 00 Flag

0x3c-3f:00 00 00 00 Maximum Version number

0x40-0x43:00 00 00 00 Version Number

0x44-0x47:00 00 00 00 Category ID


MFT Standard attribute data structure for the NTFS file system

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.