Expand description
MFT attribute walking: the common attribute header plus the resident and non-resident bodies.
After the record header, attributes are laid out back-to-back, each starting
with a common header (type, length, resident flag, optional name, flags),
terminated by an end marker (0xFFFF_FFFF). Resident attributes store their
value inline; non-resident attributes store a runlist mapping the file’s
virtual clusters to on-disk clusters.
Every field is bounds-checked against the record and the attribute’s own declared length: a crafted record can never drive an out-of-bounds read or an unbounded loop.
Type codes, names, attribute-header field offsets, and flags all come from
the forensicnomicon::ntfs KNOWLEDGE layer.
Structs§
- Attribute
- A parsed MFT attribute (common header + body discriminant).
Enums§
- Attribute
Body - The resident/non-resident discriminant of an attribute.
Functions§
- parse_
attributes - Walk the attribute chain of a (fixed-up) record, starting at
first_attr_offset, until the end marker.