A file attribute refers to metadata that describes a file or directory. It also tells users how to modify a file or directory based on its behavior. It is critical to digital forensics in that it can, for instance, tell users what malware can do or how it behaves.
So, when asked the question, “What is a file attribute?” A typical file attribute may, for instance, tell users if the file is visible, modifiable, compressed, or encrypted. But its availability may depend on the support provided by the underlying file system, which can be File Allocation Table (FAT), New Technology File System (NTFS), or ext4, where the attribute data is stored along with its control structures. Apart from files and directories, folders, volumes, and other file system objects may also have attributes.
Other interesting terms…
Read More about “File Attribute”
You should know that each file’s attributes have something to do with the file system it runs on, hence the mention of FAT, NTFS, and ext4 earlier. What are these file systems, exactly?
What Are the Common Underlying File Systems That Determine File Attributes?
File attributes vary depending on their underlying file system that can be:
- FAT: A file system developed for hard drives that initially used 12 or 16 bits for each cluster entry (the logical unit of file storage on a hard disk). The operating system (OS) uses it to manage files on hard drives and other computers.
- NTFS: A proprietary journaling file system developed by Microsoft, built into Windows NT 3.1 onward. It is the default Windows file system, which replaced FAT. Linux OSs also support it.
- ext4: The successor of the most used Linux file system, ext3. It allows users to modify essential data structures of the file system like the ones meant to store file data.
In digital forensics, determining the file attributes of a malicious program, for example, will have to involve analyzing the underlying file system. An example would be the analysis of the WastedLocker ransomware, which plagued users in July 2020. This malware took advantage of NTFS’s alternate data stream feature, which allowed its copy to remain hidden in infected computers.
What File Attributes Do Windows and DOS Use?
DOS and Windows computers accept 12 file attributes, namely:
- Archive (A): A file with this attribute means it has changed since it was last backed up. The backup software is responsible for clearing the file upon each successful full or incremental backup.
- Hidden (H): A file with this attribute means it is hidden. It won’t appear when an MS-DOS command like dir is used. Also, Windows apps, such as File Explorer, won’t show it by default unless users ask it to do so.
- System (S): A file with this attribute means it is a critical system file. If deleted, the computer will cease to operate correctly. Important system files are given this file attribute on MS-DOS and Windows computers. Like hidden files, system files don’t appear when a command like dir is used or if users don’t specifically ask apps like File Explorer to do so.
- Read-only (R): A file with this attribute means it should never be altered. In fact, when opened, the file system won’t grant you write permission to the file unless you explicitly request it.
- Compressed (C): A file with this attribute means it has been compressed when stored.
- Encrypted (E): A file with this attribute means it has been encrypted when it was stored to prevent unauthorized access. Without the encryption key, users can’t modify the file.
- Not Content-Indexed (I): A file with this attribute means it can’t be indexed by the Indexing Service or Windows Search, making it unsearchable.
- Directory (D): A file with this attribute means it is a subdirectory. It has directory entries of its own.
- Reparse Point (L): A file with this attribute means it has an associated reparse point or is a symbolic link.
- Offline (O): A file with this attribute means it has been physically moved to offline or remote storage, such as an external hard drive.
- Sparse (P): A file with this attribute means it is a sparse file, or its contents are partially empty and noncontiguous.
- Temporary (T): A file with this attribute means it has only been temporarily stored.
In digital forensics, threat actors would typically set the hidden file attribute to the malware so users can’t see it. In some cases, they would also mark it as a read-only file or make it appear as a system file. In WastedLocker’s case, the hackers also made it a point to store its copy in the temporary folder using the temporary file attribute to avoid early detection and removal.