|
File attribute record
Each record in the file is composed of attributes. Each property constituted by the same format, the first is a standard attribute of the recording head, and then store the property-specific data. Listed below are available to the property $ AttrDef defined.
|
Type
|
Operating system
|
Description
|
|
0x10
|
|
STANDARD_INFORMATION
|
|
0x20
|
|
ATTRIBUTE_LIST
|
|
0x30
|
|
FILE_NAME
|
|
0x40
|
NT
|
VOLUME_VERSION
|
|
0x40
|
2K
|
OBJECT_ID
|
|
0x50
|
|
SECURITY_DESCRIPTOR
|
|
0x60
|
|
VOLUME_NAME
|
|
0x70
|
|
VOLUME_INFORMATION
|
|
0x80
|
|
DATA
|
|
0x90
|
|
INDEX_ROOT
|
|
0xA0
|
|
INDEX_ALLOCATION
|
|
0xB0
|
|
BITMAP
|
|
0xC0
|
NT
|
SYMBOL_LINK
|
|
0xC0
|
2K
|
REPARSE_POINT
|
|
0xD0
|
|
EA_INFORMATION
|
|
0xE0
|
|
EA
|
|
0xF0
|
NT
|
PROPERTY_SET
|
|
0x100
|
2K
|
LOGGED_UNTILITY_STREAM
|
Each MFT record has a property attribute recording head, the head of the recording of the type of property, the name (optional), there are two formats:
1. Resident property
|
Name
|
Offset
|
Size
|
Explanation
|
|
ATTR_Type
|
0x00
|
4
|
Property type. The value must be a list of attributes defined in the file $ AttrDef in a
|
|
ATTR_Size
|
0x04
|
4
|
Record size (including the recording head)
|
|
ATTR_NonResFlag
|
0x08
|
1
|
Non-resident property data flag is 0, the presence of property can not be compressed
|
|
ATTR_NamSz
|
0x09
|
1
|
Attribute name size, the value of 0 indicates that the current property no name
|
|
ATTR_NamOff
|
0x0a
|
2
|
Attribute names the head relative to the offset property, the value is always fixed at 0x18
|
|
ATTR_Flags
|
0x0c
|
2
|
Attribute flags in the current version only supports the following three flags:
0x4000 attribute is encrypted
0x8000 sparse property
Note: Data (Data) Only non-resident property can be compressed
|
|
ATTR_Id
|
0x0d
|
2
|
Attribute ID, each attribute in the MFT record has a unique ID. Corresponds to the MFT FR_NxtAttrId
|
|
ATTR_DatSz
|
0x10
|
4
|
Property Data Dimensions
|
|
ATTR_DatOff
|
0x14
|
2
|
Attribute data relative to the offset property head
|
|
ATTR_Indx
|
0x16
|
1
|
Property index mark (valid for FILE_NAME)
|
|
ATTR_Resvd
|
0x17
|
1
|
Retention
|
|
ATTR_AttrNam
|
0x18
|
2 * N
|
Attribute names Unicode string that do not add 0 at the end of
|
|
ATTR_AttrDat
|
0x18+2*N
|
|
Attribute data, so the data should be double-word aligned
(As part of the permanent attributes of the entity)
|
|
