Skip to content
Switch branches/tags
Go to file
Cannot retrieve contributors at this time
28 lines (15 sloc) 1.54 KB

#NTFS Extended Attribute Analysis

Purpose: Identify data hiding in extended attributes on files in an NTFS filesystem, which are otherwise rarely used.

Data Required: NTFS Master File Table (MFT) data from a single host

Collection Considerations: Run fget.exe on each NTFS filesystem on a host to capture the raw data, then parse into records and fields with something like

Analysis Techniques: Stack counting


The MFT holds detailed metadata about files and directories on a file system. There are many different attributes that are technically possible to attach to files and dirs, but in practice are never used. The so-called "Extended Attributes" section is thought to be present for OS/2 compatibility, but no one ever used OS/2, so anything in the EA is pretty suspicious.

Stack the data by full path and filename, "EA" an "EA Information" fields. Look for:

  • Rare values in the MFT "EA" or "EA Information" fields. There may be some legitimate use of these in your environment, but hopefully these uses will have a high count.
    • Anything in /Windows/winsxs or /Windows/CSC is probably legit

Other Notes

More Info