ntfsntfs-mft

how to interpret FILENAME attribute of NTFS MFT?


I have read NTFS MFT. Here is the picture (in 4 byte words, lower address is shown to the left)

enter image description here

The highlighted region is the filename attribute. and below is the attribute format.

typedef struct _NTFS_ATTRIBUTE {
unsigned int dwType;
unsigned int dwFullLength;
unsigned char uchNonResFlag;
unsigned char uchNameLength;
unsigned short wNameOffset;
unsigned short wFlags;
unsigned short wID;
   union ATTR {
   struct RESIDENT {
      unsigned int dwLength;
      unsigned short wAttrOffset;
      unsigned char uchIndexedTag;
      unsigned char uchPadding;
   } Resident;
   struct NONRESIDENT {
      unsigned long long n64StartVCN;
      unsigned long long n64EndVCN;
      unsigned short wDatarunOffset;
      unsigned short wCompressionSize;
      unsigned char uchPadding[4];
      unsigned long long n64AllocSize;
      unsigned long long n64RealSize;
      unsigned long long n64StreamSize;
   } NonResident;
   } Attr;
} _NTFS_ATTRIBUTE, *P_NTFS_ATTRIBUTE;

THe dwType is 0x00000030 (FILENAME) , dwFullLength is 0x00000068 as you see. wNameOffset is 0x0018, wID is0x0003. This is a resident case, and the Resident has dwLength 0x0000004a, wAttrOffset 0x0018, uchIndexedTag 0x01, and uchPadding 0x00. Since the offset is 0x18 from the start of the attribute record. it is shown below.

enter image description here

I don't know how to read this unicode character string. Is is utf-16? every character is 16 bit?


Solution

  • according to
    https://www.mandiant.com/blog/incident-response-ntfs-indx-buffers-part-2-internal-structures-file-attribute/
    The 'file name' attribute has its structure. According to it the length of the filename is 4 and the value is "$MFT".