Share via

NTFS Extended Attributes, how it works

gaolei 221 Reputation points
2020-08-27T07:20:41.4+00:00

Hi Heroes,

Maybe a dumb question but I have been struggling to understand how exactly NTFS Extended Attributes works.
I'm studying the Data Loss Prevention(DLP) products (like Symantec, McAfee, Forcepoint DLP products). and in the DLP products, there has a mechanism that the DLP can insert a Classification ID into the file to classify the file, so that even the file is sent out to another PC, the DLP still can track the file if the target PC installs DLP software as well.
I want to know how is the Classification ID embedded into the file, googled this a lot but still unsure of this...... thanks in advance.

Windows for business Windows Server Storage high availability Other

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anonymous
    2020-08-28T06:35:19.37+00:00

    Hi,
    In NTFS the file metadata is stored in the master file table (MFT). There is at least one record in the MFT for every file on an NTFS file system volume. Each record consists of the attributes of a file, such as the file name, timestamp, security descriptor, and the extended attributes. The extended attributes are defined by programs. According to your description, if your DLP product adds an extended attribute called Classification ID to a file, it's inserted not into the file itself, but into the mft record that points to the file.

    For more details about MFT you may refer to these links
    https://learn.microsoft.com/en-us/windows/win32/fileio/master-file-table
    http://ntfs.com/ntfs-mft.htm

    Best Regards,
    Ian

    ----------

    Please remember to "Accept Answer" and upvote if the reply is helpful.

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.