| Glossary |
Every attribute in every MFT record has a standard header. The header stores information about the attribute's type, size, name (optional) and whether it is resident, or not.
The size of the attribute depends on two things. Does it have a name? Is it resident? To simplify the tables, all four possibilities will be shown in full (with some values already filled in).
| Offset | Size | Value | Description |
|---|---|---|---|
| 0x00 | 4 | Attribute Type (e.g. 0x10, 0x60) | |
| 0x04 | 4 | Length (including this header) | |
| 0x08 | 1 | 0x00 | Non-resident flag |
| 0x09 | 1 | 0x00 | Name length |
| 0x0A | 2 | 0x00 | Offset to the Name |
| 0x0C | 2 | 0x00 | Flags |
| 0x0E | 2 | Attribute Id (a) | |
| 0x10 | 4 | L | Length of the Attribute |
| 0x14 | 2 | 0x18 | Offset to the Attribute |
| 0x16 | 1 | Indexed flag | |
| 0x17 | 1 | 0x00 | Padding |
| 0x18 | L | The Attribute |
(a) Each attribute has a unique identifier
| Offset | Size | Value | Description |
|---|---|---|---|
| 0x00 | 4 | Attribute Type (e.g. 0x90, 0xB0) | |
| 0x04 | 4 | Length (including this header) | |
| 0x08 | 1 | 0x00 | Non-resident flag |
| 0x09 | 1 | N | Name length |
| 0x0A | 2 | 0x18 | Offset to the Name |
| 0x0C | 2 | 0x00 | Flags |
| 0x0E | 2 | Attribute Id (a) | |
| 0x10 | 4 | L | Length of the Attribute |
| 0x14 | 2 | 2N+0x18 | Offset to the Attribute (b) |
| 0x16 | 1 | Indexed flag | |
| 0x17 | 1 | 0x00 | Padding |
| 0x18 | 2N | Unicode | The Attribute's Name |
| 2N+0x18 | L | The Attribute (b) |
(a) Each attribute has a unique identifier
(b) Rounded up to a multiple of 4 bytes
| Offset | Size | Value | Description |
|---|---|---|---|
| 0x00 | 4 | Attribute Type (e.g. 0x20, 0x80) | |
| 0x04 | 4 | Length (including this header) | |
| 0x08 | 1 | 0x01 | Non-resident flag |
| 0x09 | 1 | 0x00 | Name length |
| 0x0A | 2 | 0x00 | Offset to the Name |
| 0x0C | 2 | Flags | |
| 0x0E | 2 | Attribute Id (a) | |
| 0x10 | 8 | Starting VCN | |
| 0x18 | 8 | Last VCN | |
| 0x20 | 2 | 0x40 | Offset to the Data Runs |
| 0x22 | 2 | Compression Unit Size (b) | |
| 0x24 | 4 | 0x00 | Padding |
| 0x28 | 8 | Allocated size of the attribute (c) | |
| 0x30 | 8 | Real size of the attribute | |
| 0x38 | 8 | Initialized data size of the stream (d) | |
| 0x40 | ... | Data Runs |
(a) Each attribute has a unique identifier
(b) Compression unit size = 2x clusters. 0 implies uncompressed
(c) This is the attribute size rounded up to the cluster size
(d) Compressed data size.
| Offset | Size | Value | Description |
|---|---|---|---|
| 0x00 | 4 | Attribute Type (e.g. 0x80, 0xA0) | |
| 0x04 | 4 | Length (including this header) | |
| 0x08 | 1 | 0x01 | Non-resident flag |
| 0x09 | 1 | N | Name length |
| 0x0A | 2 | 0x40 | Offset to the Name |
| 0x0C | 2 | Flags | |
| 0x0E | 2 | Attribute Id (a) | |
| 0x10 | 8 | Starting VCN | |
| 0x18 | 8 | Last VCN | |
| 0x20 | 2 | 2N+0x40 | Offset to the Data Runs (b) |
| 0x22 | 2 | Compression Unit Size (c) | |
| 0x24 | 4 | 0x00 | Padding |
| 0x28 | 8 | Allocated size of the attribute (d) | |
| 0x30 | 8 | Real size of the attribute | |
| 0x38 | 8 | Initialized data size of the stream (e) | |
| 0x40 | 2N | Unicode | The Attribute's Name |
| 2N+0x40 | ... | Data Runs (b) |
(a) Each attribute has a unique identifier
(b) Rounded up to a multiple of 4 bytes
(c) Compression unit size = 2x clusters. 0 implies uncompressed
(d) This is the attribute size rounded up to the cluster size
(e) Compressed data size.
| Flag | Description |
|---|---|
| 0x0001 | Compressed |
| 0x4000 | Encrypted |
| 0x8000 | Sparse |
Only the data attribute can be compressed, or sparse, and only when it is non-resident.
Although the compression flag is stored in the header, it does not affect the size of the header.
name isn't null terminated
FIXME
0x40 __s64 compressed_size;
Byte size of the attribute value after compression.
Only present when compressed. Always is a multiple of the cluster
size. Represents the actual amount of disk space being used on the disk.
FIXME: The indexed flag only appears in the resident attributes. Does this mean you can only index resident attributes?