Miscellaneous

Windows DFIR notes are no longer maintained on InfoSec-Notes. Updated versions can be found on: artefacts.help.

NTFS file attributes

A number of forensic artefact files, such as the $MFT or the $UsnJrnl files, have both the NTFS Hidden (H) and System (S) attributes set. The System attribute is used to identify system-critical files that are "necessary for Windows to operate properly" and are not shown by the Windows Explorer application or the dir utility by default.

Following a collect of these files, that may be locked by Windows and require utilities such as Velociraptor or KAPE for triage, the files will remain hidden. The attrib.exe utility can be used to remove the Hidden (H) / System (S) attributes:

# Shows the specified file or files in the working directory NTFS attributes.
attrib [<FILE>]

# Removes the Hidden and System attributes from the specified file.
attrib -h -s <FILE>

Alternatively, hidden / system files can be displayed in the Windows Explorer application (View -> Check "Hidden Items") or with dir utility / Get-ChildItem cmdlet the if needed:

dir /x /a

Get-ChildItem -Attributes Hidden,!Hidden

PreviousUsnJrnl NextTTPs analysis

Last updated 8 months ago