0

I have read NTFS MFT. Here is the picture (in 4 byte words, lower address is shown to the left)

enter image description here

The highlighted region is the filename attribute. and below is the attribute format.

typedef struct _NTFS_ATTRIBUTE {
unsigned int dwType;
unsigned int dwFullLength;
unsigned char uchNonResFlag;
unsigned char uchNameLength;
unsigned short wNameOffset;
unsigned short wFlags;
unsigned short wID;
   union ATTR {
   struct RESIDENT {
      unsigned int dwLength;
      unsigned short wAttrOffset;
      unsigned char uchIndexedTag;
      unsigned char uchPadding;
   } Resident;
   struct NONRESIDENT {
      unsigned long long n64StartVCN;
      unsigned long long n64EndVCN;
      unsigned short wDatarunOffset;
      unsigned short wCompressionSize;
      unsigned char uchPadding[4];
      unsigned long long n64AllocSize;
      unsigned long long n64RealSize;
      unsigned long long n64StreamSize;
   } NonResident;
   } Attr;
} _NTFS_ATTRIBUTE, *P_NTFS_ATTRIBUTE;

THe dwType is 0x00000030 (FILENAME) , dwFullLength is 0x00000068 as you see. wNameOffset is 0x0018, wID is0x0003. This is a resident case, and the Resident has dwLength 0x0000004a, wAttrOffset 0x0018, uchIndexedTag 0x01, and uchPadding 0x00. Since the offset is 0x18 from the start of the attribute record. it is shown below.

enter image description here

I don't know how to read this unicode character string. Is is utf-16? every character is 16 bit?

0xC0000022L
  • 20,597
  • 9
  • 86
  • 152
Chan Kim
  • 5,177
  • 12
  • 57
  • 112

2 Answers2

0

it looks like it is UTF-16 - according to the Windows Internals book - i looked it up online and everything suggests that it is UTF-16 and while the internals book doesn't make it explicitly clear it does say unicode(and specifies non-unicode for the FAT FS) - which in the microsoft world implies UTF-16.

While I'm not 100% certain, if it is a 32-bit or higher system I would say UTF-16 is a safe bet.

To answer the last part - yes, unicode is 2-byte or 16-bit characters.

tophallen
  • 1,033
  • 7
  • 12
  • Oh I just found the answer. it was 2 byte code but I didn't know there is another format for the file name attribute. – Chan Kim Nov 20 '14 at 11:29
  • Unicode is not 2-byte. Unicode is a standard and has several encodings. Not even UTF-16 is is able to encode all code points in a single 16-bit unit. UCS-2, the older subset of UTF-16 used by older Windows versions (pre-XP) was fully 2-byte, though. And Microsoft *calls* that Unicode (and yes, it is *one* of several Unicode encodings). It's very annoying to see this wrong terminology perpetuated on a Q&A site, though. – 0xC0000022L Aug 01 '15 at 16:07
0

according to
https://www.mandiant.com/blog/incident-response-ntfs-indx-buffers-part-2-internal-structures-file-attribute/
The 'file name' attribute has its structure. According to it the length of the filename is 4 and the value is "$MFT".

Chan Kim
  • 5,177
  • 12
  • 57
  • 112