1

I'm reading about the NTFS attribute types and it come to the $FILE_NAME attribute structure. Here it is:

Offset Size Description
~      ~    Standard Attribute Header
0x00   8    File reference to the parent directory.
0x08   8    C Time - File Creation
0x10   8    A Time - File Altered
0x18   8    M Time - MFT Changed
0x20   8    R Time - File Read
0x28   8    Allocated size of the file
0x30   8    Real size of the file
0x38   4    Flags, e.g. Directory, compressed, hidden
0x3c   4    Used by EAs and Reparse
0x40   1    Filename length in characters (L)
0x41   1    Filename namespace
0x42   2L   File name in Unicode (not null terminated)

What is "Filename Namespace" at the offset 0x41? I know a little about namespace i think. How can it be stored in just 1 byte? Can anyone clear this for me? Thank you.

Best_Name
  • 149
  • 2
  • 13

1 Answers1

5

It describes the "traits" of a filename, i.e. length, allowable characters, etc. It is not a "string" in itself (like a C++/C#/etc. namespace).

I found a document here, of which I have frankly no idea of its validity.

But anyway, it describes the namespaces as such (which makes it quite obvious, see chapter 13.2.):

0: POSIX

This is the largest namespace. It is case sensitive and allows all Unicode characters except for NULL (0) and Forward Slash '/'. The maximum name length is 255 characters. N.B. There are some characters, e.g. Colon ':', which are valid in NTFS, but Windows will not allow you to use.

1: Win32

Win32 is a subset of the POSIX namespace and is case insensitive. It uses all the Unicode characters, except: '"' '*' '/' ':' '<' '>' '?' '\' '|' N.B. Names cannot end with Dot '.', or Space ''.

2: DOS

DOS is a subset of the Win32 namespace, allowing only 8 bit upper case characters, greater than Space '', and excluding: '"' '*' '+' ',' '/' ':' ';' '<' '=' '>' '?' '\'. N.B. Names must match the following pattern: 1 to 8 characters, then '.', then 1 to 3 characters.

3: Win32 &DOS

This namespace means that both the Win32 and the DOS filenames are identical and hence have been saved in this single filename record.

So the field can be one byte, because it just contains a number identifying the respective namespace in use.

Christian.K
  • 47,778
  • 10
  • 99
  • 143
  • Thank you very much sir! – Best_Name Jul 21 '16 at 05:53
  • «I have frankly no idea of its validity» It is indeed valid. The NTFS doc was written by the authors of the `ntfs-3g` Linux driver and is also extensively quoted in [*Forensic File System Analysis* by Brian Carrier](http://www.digital-evidence.org/fsfa/). – Andrea Lazzarotto Jul 22 '16 at 09:16
  • You are welcome. :) Besides, I got the title wrong! It is actually *File System Forensic Analysis*. – Andrea Lazzarotto Jul 22 '16 at 17:45