NTFS Attribute Types Reference
When digging through NTFS internals—whether you're looking at the MFT or changes tracked by the USN Journal—you'll run into Attribute Types. While $STANDARD_INFORMATION (0x10) and $FILE_NAME (0x30) are the rockstars everyone talks about, they are far from the only ones. Here's exactly what an attribute ID means when you find one:
| Hex Value | Attribute Name | What it actually means |
|---|---|---|
| 0x10 | $STANDARD_INFORMATION | Standard file properties like the classic MACB timestamps, read-only/hidden flags, and ownership limits. |
| 0x20 | $ATTRIBUTE_LIST | Points to additional MFT records if the file has too many attributes to fit in one record. |
| 0x30 | $FILE_NAME | Contains the file name and the kernel-level MACB timestamps (which are extremely hard for attackers to fake). |
| 0x40 | $OBJECT_ID | A unique 16-byte identifier (GUID) given to a file or directory for tracking. |
| 0x50 | $SECURITY_DESCRIPTOR | Holds the ACLs (who can read/write the file). Largely obsolete for modern files since NTFS moved this to the $Secure system file. |
| 0x60 | $VOLUME_NAME | Just what it sounds like: the name of the volume. |
| 0x70 | $VOLUME_INFORMATION | Metadata about the volume itself, like its version and dirty state flags. |
| 0x80 | $DATA | The actual meat and potatoes. This holds the file contents. If it's small, it lives here directly; if it's big, it points to external clusters. |
| 0x90 | $INDEX_ROOT | Used to manage directories. It forms the foundation of the B-tree structure indexing the folder's contents. |
| 0xA0 | $INDEX_ALLOCATION | Stores the bulk of the directory entries if they outgrow the $INDEX_ROOT. |
| 0xB0 | $BITMAP | A map of bits tracking which records or clusters are currently in use versus free. |
| 0xC0 | $REPARSE_POINT | Used for symbolic links, volume mount points, or OneDrive placeholders. Tells the OS to route the request elsewhere. |
| 0xD0 | $EA_INFORMATION | Stores tracking info regarding Extended Attributes. Mostly a relic but still exists. |
| 0xE0 | $EA | The actual Extended Attributes payload. Like $EA_INFORMATION, it's rarely used today except by certain legacy applications. |
| 0xF0 | $PROPERTY_SET | Rarely seen. Originally intended for object properties, but largely unsupported. |
| 0x100 | $LOGGED_UTILITY_STREAM | Used by EFS (Encrypting File System) for its overhead data, and occasionally by other NTFS features. |