10 00 00 00 or 16 (in decimal) at byte
offset 48 and contains basic metadata about a file or directory. It exists in
every file and directory. Microsoft sorts
the attributes in an MFT entry, and this one is always first in the entry
because it has the lowest type ID (16).  |
| Figure 1: The $STANDARD_INFORMATION Type ID |
As defined in the $AttrDef file, this attribute
has a minimum size of 48 bytes and a maximum of 72 bytes (See table below).
|
$AttrDef Attribute Values |
|||
|
Attribute |
Type ID |
Size (bytes) |
Flags |
|
$STANDARD_INFORMATION |
16 |
48 - 72 |
Resident |
|
$ATTRIBUTE_LIST |
32 |
No Limit |
Non-resident |
|
$FILE_NAME |
48 |
68 - 578 |
Resident, Index |
|
$OBJECT_ID |
64 |
0 - 256 |
Resident |
|
$SECURITY_DESCRIPTOR |
80 |
No Limit |
Non-Resident |
|
$VOLUME_NAME |
96 |
2 - 256 |
Resident |
|
$VOLUME_INFORMATION |
112 |
12 - 12 |
Resident |
|
$DATA |
128 |
No Limit |
- |
|
$INDEX_ROOT |
144 |
No Limit |
Resident |
|
$INDEX_ALLOCATION |
160 |
No Limit |
Non-Resident |
|
$BITMAP |
176 |
No Limit |
Non-Resident |
|
$REPARSE_POINT |
192 |
0 - 16384 |
Non-Resident |
|
$EA_INFORMATION |
208 |
8 - 8 |
Resident |
|
$EA |
224 |
0 - 65536 |
- |
|
$LOGGED_UTILITY_STREAM |
256 |
0 - 65536 |
Non-Resident |
Data Structure of the $STANDARD_INFORMATION Attribute
As with all attributes, the $STANDARD_INFORMATION attribute start with an attribute header.
$STANDARD_INFORMATION Attribute Header
At byte offset 48 to 71 are the details of the attribute header as depicted in the figure below
 |
| Figure 2: The $STANDARD_INFORMATION attribute header |
The details of the attribute header is illustrated in the table below.
|
$STANDARD_INFORMATION Attribute Header Analysis |
||
|
Byte Offset |
Description |
Value |
|
48 - 51 |
Attribute ID |
0x 00 00 00 10 (= 16) |
|
52 - 55 |
Length of Attribute |
0x00 00 00 60 (= 96 bytes) i.e. from offset 48 to 143 |
|
56 |
Resident/Non-Resident flag |
0x00 (= Resident) |
|
57 |
Length of name of attribute |
0x00 (= No name) |
|
60 - 61 |
Flags |
0x00 00 (= Normal) |
|
64 - 67 |
Length of Attribute content |
0x00 00 00 48 (= 72 bytes) i.e. from offset 72 to 143 |
|
68 - 69 |
Offset to start of attribute content |
0x00 18 (= 24). Noting that the start offset for this Attribute is 48, then the Attribute content starts at offset 48 + 24 = 72. A quick check also shows that the 24 byte offset and 72 byte attribute length equal a total of 96 bytes, which is the reported length of the attribute. |
|
70 |
Indexed flag |
0x00 (= Not indexed) |
|
71 |
Padding to 8 byte boundary |
0x00 |
$STANDARD_INFORMATION Attribute Content
The Standard Information Attribute content extends from byte offsets 72 to 143 as shown below.
 |
| Figure 3: The $STANDARD_INFORMATION attribute content |
The first 32 bytes of this Attribute content (byte offset 72 to byte offset 103) refer to four dates and times. The values stored in these bytes are in a format known as a “FILETIME”. This is a 64 bit number that represents the number of 100 nanosecond intervals that have elapsed since January 1, 1601 UTC. An examination of the reported times and dates by forensic software reveals the following:
 |
| Figure 4: Decoded $STANDARD_INFORMATION timestamp |
The details of the attribute content is illustrated in the table below.
|
$STANDARD_INFORMATION Attribute Content Analysis |
||
|
Byte offset |
Description |
Value |
|
72 - 79 |
Creation Date and Time - The time that the file was created |
Mon, 15 March 2004 23:30:11 UTC |
|
80 - 87 |
Last Modified Date and Time - The time that the content of the $DATA or $INDEX attributes was last modified |
Mon, 15 March 2004 23:30:11 UTC |
|
88 - 95 |
Last MFT Record Change Date and Time - The time that the metadata of the file was last modified. Note that this value is not shown in Windows when you select the properties of a file. |
Mon, 15 March 2004 23:30:11 UTC |
|
96 - 103 |
Last Access Date and Time - The time that the content of the file was last accessed. |
Mon, 15 March 2004 23:30:11 UTC |
|
104 - 107 |
File Permission |
0x06 00 00 00 =( Hidden + System) |
|
108 - 111 |
Maximum Number of Versions |
0x00 00 00 00 (= disabled) |
|
112 - 119 |
Version Number and Class ID |
0x00 00 00 00 00 00 00 00 |
|
120 - 123 |
Owner ID |
0x 00 00 00 00 |
|
124 - 127 |
Security ID |
0x00 00 00 01 |
|
128 - 135 |
Quota charged |
0x00 00 00 00 00 00 00 00 |
|
136 - 143 |
Update Sequence Number |
0x00 00 00 00 00 00 00 00 |
The ID values are used for either application-level features or security. The Security ID value is the index to the $Secure file, not the Windows SID value. The flag values are given below.
|
Flag values for the $STANDARD_INFORMATION attribute |
|
|
Flag Value |
Description |
|
01 00 00 00 |
Read only |
|
02 00 00 00 |
Hidden |
|
04 00 00 00 |
System |
|
20 00 00 00 |
Archive |
|
40 00 00 00 |
Device |
|
80 00 00 00 |
Normal |
|
00 01 00 00 |
Temporary |
|
00 02 00 00 |
Sparse File |
|
00 04 00 00 |
Reparse Point |
|
00 08 00 00 |
Compressed |
|
00 10 00 00 |
Offline |
|
00 20 00 00 |
Not Content Indexed |
|
00 40 00 00 |
Encrypted |
In summary, this attribute contains many interesting pieces of metadata, but none are essential for the file system. The primary time and date information and other identifiers are stored here, but it is up to the OS when the times are updated and whether they will use the identifiers. Note that this attribute exists for all files and directories, but it may not exist in non-base MFT entries.
Post a Comment