The $FILE_NAME Attribute

The $FILE_NAME attribute is a resident attribute identified by the hexadecimal sequence 30 00 00 00 or 48 (in decimal) at byte offset 144.

Among the data contained in the FNA for a particular file are a reference to its parent directory record number (which can be used to determine full path), the file’s physical and logical size, its Unicode file name and (like the $STANDARD_INFORMATION attribute) a set of four 64-bit dates and times. It is a repeatable attribute for both long and short file names. The long name of the file can be up to 255 UTF-16 Unicode characters. The short name is the MS-DOS-readable, 8.3, case-insensitive, name for the file.

$FILE_NAME Data Structure

 Every file and directory has at least one $FILE_NAME attribute in its MFT entry. In addition, every file and directory has at least one other instance of a $FILE_NAME attribute in the index of its parent directory, although the two instances do not necessarily contain the same data.  This post focuses only on the one in the MFT entry. As with all other attributes, the $FILE_NAME attribute has a header and a content.

Attribute Header

At byte offsets 144 to 167 are the details of the Attribute Header

 

$FILE_NAME Header Analysis
Byte Offset	Description	Value
144 - 147	Attribute ID	0x 00 00 00 30
148 - 151	Length of Attribute	0x00 00 00 68 (= 104) i.e. from offset 144 - 247
152	Resident/Non-Resident Flag	0x00 (= Resident)
153	Length of Name of Attribute	0x00 (= No name)
154 - 155	Offset to Start of Attribute Content	0x00 18
156 - 157	Flags	0x00 00 (= Normal)
158 - 159	Not yet known	0x 00 03 (= Possible ID)
160 - 163	Length of Attribute Content	0x 00 00 00 4A (= 74) i.e. from offset 168 – 241
164 - 165	Offset to Start of Attribute Content	0x00 18 (= 24) i.e. 144 +24 = 168
166	Indexed flag	0x01 (= Indexed)
167	Padding to 8 byte Boundary	0x00

 

It should be noted by the reader that the length of the attribute content as revealed by byte offsets 160 - 163 varies among file depending on the length of the file name (which will be seen in the next section) and the size of 74 bytes is specific to this file under investigation. This information determines the size of the attribute content which will be discussed next.

Attribute Content

The $FILE_NAME Attribute Content extends from byte offsets 168 to 241.

32 bytes of this Attribute content (byte offset 176 to byte offset 207) refer to four dates and times. The values stored in these bytes are in a format known as a “FILETIME”.  This is a 64 bit number that represents the number of 100 nanosecond intervals that have elapsed since January 1, 1601 UTC. An examination of the reported times and dates by forensic software reveals the following:

$FILE_NAME Attribute Content
Byte Offset	Description	Value
168 – 175	Reference to parent directory	0x00 05 00 00 00 00 00 05. The upper two bytes are the sequence number and the lower six bytes are the MFT entry. Therefore, the parent directory is MFT entry 5, and its sequence is 5, which is the entry for the root directory.
176 – 183	Creation Date and Time	Wed, 22 July 2009 16:16:41 UTC
184 – 191	Last Modified Date and Time	Wed, 22 July 2009 16:16:41 UTC
192 – 199	Last MFT Record Change Date and Time	Wed, 22 July 2009 16:16:41 UTC
200 – 207	Last Access Date and Time	Wed, 22 July 2009 16:16:41 UTC
208 – 215	“Physical” Size of File	0x00 00 00 00 00 00 40 00 (= 16384 bytes)
216 – 223	“Logical” Size of File	0x00 00 00 00 00 00 40 00 (= 16384 bytes)
224 – 227	Flags	0x06 00 00 00 (= Hidden and System)
228 – 231	Extended Attributes and Reparse Points	0x00 00 00 00
232	Length of File Name in Characters	0x04 (= 4)
233	Type of File Name (or Namespace)	0x03 = Win32 & DOS
234 - 241	File Name (Variable length)	$MFT

As can be seen, byte offsets 234 to 241 contain the file name, the character length of which (4) is given in byte 232. This file name field, of value here ($MFT), has to be of variable length in order to permit the use of long file names. The six bytes from offset 242 - 247 are padding that has been added to ensure that the next Attribute starts on an 8-byte boundary.

The namespace byte identifies what rules the name follows. Its values are given below.

Namespace Value	Description
0	POSIX: The name is case sensitive and allows all Unicode characters except for '/' and NULL.
1	Win32: The name is case insensitive and allows most Unicode characters except for special values such as '/', '\', ':', '>', '<', and '?'.
2	DOS: The name is case insensitive, upper case, and no special characters. The name must have eight or fewer characters in the name and three or less in the extension.
3	Win32 & DOS: Used when the original name already fits in the DOS namespace and two names are not needed.

Of the four categories shown in the table above, the most general is that of POSIX, with value 0x00 ,and this permits use of all Unicode characters and allows a file length of up to 255 characters. Win32,with value 0x01, is a subset of POSIX and this prohibits use of a small number of Unicode characters. It is equivalent to the FAT Long File Name (LFN). DOS, with value 0x02, is a subset of Win32, and this permits only single-byte upper-case characters, prohibits use of a small number of these, and requires file names to be constrained within the standard DOS8.3 format. 

It should be noted that, for compatibility with other systems, it may be necessary to record both the Win32 file name and a DOS-compliant file name in two separate File Name Attributes. However, where the Win32 file name is itself DOS-compliant, this is not necessary and the name need only be recorded once. The final category, Win32&DOS, of value 0x03, is used to signal this situation; that the file name is both Win32- and DOS-compliant.

In summary, this attribute contains many values that are duplicated with the $STANDARD_INFORMATION attribute. The new values are the name of the file and the address of the parent directory, which can be used to determine the full path.