In this module

$FILE_NAME Attribute

14 hours · Module 1 · Free

Operational Objective

The $FILE_NAME attribute is the most forensically reliable timestamp source in NTFS. While $STANDARD_INFORMATION timestamps are modifiable through the Windows API (the target of every timestomping tool), $FILE_NAME timestamps are set by the NTFS kernel driver and cannot be modified through any documented user-mode API. Modifying $FN timestamps requires either direct disk writes (bypassing NTFS entirely) or kernel-level manipulation — both of which are significantly more complex, more detectable, and more rarely attempted than $SI timestomping. When you compare a file's $SI Created timestamp against its $FN Created timestamp and they don't match, you have strong evidence of timestamp manipulation. The $FILE_NAME attribute also contains the parent directory reference (the MFT entry number of the directory containing the file), the filename in Unicode, the filename namespace (Win32, DOS, POSIX, or Win32+DOS), and its own set of four timestamps. Understanding this attribute at the binary level gives you the most reliable temporal evidence NTFS provides and the ability to reconstruct directory relationships even after directories have been deleted.

Deliverable: Ability to locate and parse the $FILE_NAME attribute in raw hex, extract the parent directory MFT reference (entry number + sequence number), read all four $FN timestamps, identify the filename namespace, compare $FN timestamps against $SI timestamps to detect timestomping, and reconstruct file paths by following parent directory references through the MFT.

Estimated completion: 45 minutes

Figure WF1.3 — $FILE_NAME attribute structure showing the parent directory reference, four timestamps, file metadata, and filename. $FN timestamps are set by the NTFS kernel driver and are not modifiable through user-mode APIs, making them the most forensically reliable timestamp source in NTFS. Timestomping is detected by comparing $SI timestamps against $FN timestamps.

Why $FN timestamps matter

The $FILE_NAME attribute contains its own set of four MACE timestamps that are independent of the $STANDARD_INFORMATION timestamps. Both sets use the same FILETIME format (8-byte, 100-nanosecond precision), but they are updated by different mechanisms and under different conditions.

$SI timestamps are updated by the Windows I/O manager through the file system filter stack. Any application that calls SetFileTime(), SetFileInformationByHandle(), or equivalent APIs can modify $SI timestamps. This is by design — applications legitimately set timestamps when extracting archives (to preserve the original file's timestamps), when synchronizing files (to match the source's timestamps), and when performing backup-restore operations. The same API that enables these legitimate uses is what timestomping tools exploit.

$FN timestamps are set by the NTFS driver itself at the kernel level. When NTFS creates a new file and allocates the MFT record, the driver copies the current system time into both the $SI timestamps and the $FN timestamps. From that point forward, $FN timestamps are updated only under specific NTFS-internal conditions: file rename (updates $FN Modified and $FN Entry Modified), file move to a different directory (updates $FN Modified), and certain MFT record restructuring operations. Critically, data writes to the file — opening it, editing it, saving it — do not update $FN timestamps. The $FN Created timestamp, in particular, is set once at file creation and almost never changes.

This creates the forensic asymmetry that makes timestomping detectable. When an attacker creates a malicious file at 02:14 on March 18, 2026, and then uses a timestomping tool to set the $SI Created timestamp to August 15, 2025, the $SI attribute shows August 2025 but the $FN attribute still shows March 18, 2026. The discrepancy between $SI Created and $FN Created — particularly when $FN Created is later than $SI Created, which should never happen naturally — is strong evidence of timestamp manipulation.

Compliance Myth: "$FILE_NAME timestamps are immutable and can never be modified"

$FN timestamps cannot be modified through user-mode Windows APIs — this is correct. However, they are not immutable. An attacker with kernel-level access (a kernel driver, a direct disk write tool, or a tool that patches NTFS in memory) can modify $FN timestamps. Tools like SetMACE have proof-of-concept modes that modify $FN timestamps through raw disk writes. In practice, $FN timestamp modification is rare in real investigations because it requires significantly more sophistication than $SI timestomping and risks corrupting the NTFS volume if done incorrectly. For court testimony, state that "$FN timestamps cannot be modified through standard Windows APIs and require kernel-level or direct disk access to alter" rather than "$FN timestamps cannot be modified." The former is accurate and defensible. The latter is technically incorrect and could be challenged.

The parent directory reference

The first eight bytes of the $FILE_NAME attribute content (offset 0x00) contain the parent directory reference — a pointer to the MFT record of the directory that contains this file. This reference is structured as a 6-byte MFT entry number followed by a 2-byte sequence number, stored in little-endian format.

The entry number identifies which MFT record represents the parent directory. The sequence number identifies which allocation of that MFT record is the parent. This distinction matters when directories are deleted: if you have a file whose parent reference points to MFT entry 500 with sequence number 3, and MFT entry 500 currently has sequence number 5, then the file's parent directory was deleted and MFT entry 500 has been reused twice since then. The parent directory that this file belonged to no longer exists — at least not at that MFT entry.

To reconstruct a file's full path from MFT data, you follow the parent directory chain: read the file's $FN parent reference, look up that MFT entry, read its $FN attribute (which contains the directory's name and its own parent reference), and continue until you reach MFT entry 5 (the root directory). MFTECmd performs this resolution automatically in its "ParentPath" output column. When the resolution fails — because a parent directory's MFT entry has been reallocated — MFTECmd outputs an incomplete or incorrect path.

For the forensic examiner, the parent directory reference provides evidence of where a file was located, independent of the directory structure visible on the live system. A deleted file's MFT record still contains its parent reference. A file that was moved between directories retains its new parent reference, and the old location may be recoverable from USN Journal entries that recorded the move operation. In the insider threat scenario (INC-NE-2026-0915), the parent references on copied files show which directories the departing engineer targeted — even if those directories have been renamed or reorganized since the investigation period.

Filename and namespace

At offset 0x40 in the $FN content, a one-byte field contains the filename length in characters (not bytes — each Unicode character is 2 bytes in UTF-16LE). At offset 0x41, a one-byte field indicates the filename namespace:

0x00 — POSIX: Case-sensitive, allows almost any character including colons and backslashes. Rarely seen on Windows — primarily used by POSIX subsystem applications and WSL.

0x01 — Win32: The standard Windows long filename. Case-preserving but case-insensitive. Maximum 255 characters. Cannot contain certain reserved characters (\ / : * ? " < > |).

0x02 — DOS: The 8.3 short filename. Maximum 8 characters for the name, 3 for the extension. Uppercase only. Generated automatically by NTFS for compatibility with older applications.

0x03 — Win32+DOS: The filename satisfies both Win32 and DOS naming requirements (8 characters or fewer, valid characters, no spaces). Only one $FN attribute is needed because the same name works for both namespaces.

Most files have either one $FN attribute (namespace 0x03, when the filename is short enough for DOS compatibility) or two $FN attributes (namespace 0x01 for the Win32 long name and namespace 0x02 for the DOS short name). When two $FN attributes exist, each has its own set of four timestamps. In practice, the timestamps in both $FN attributes are typically identical because NTFS sets them at the same time during file creation. However, certain operations can cause them to diverge — this is an edge case worth checking when precision matters.

The filename starts at offset 0x42 and is encoded in UTF-16LE (2 bytes per character). To read it in hex, take pairs of bytes starting at 0x42 and interpret each pair as a Unicode character. For ASCII-compatible characters, the second byte of each pair is 0x00. So the filename "test.txt" appears as 74 00 65 00 73 00 74 00 2E 00 74 00 78 00 74 00 in hex — each ASCII character followed by a null byte.

Decision point

You are analyzing a suspected ransomware executable found in a temporary directory. MFTECmd reports the following timestamps:

$SI Created: 2025-06-01T12:00:00.0000000 $SI Modified: 2026-03-18T02:14:33.7654321 $FN Created: 2026-03-18T02:14:33.7654321 $FN Modified: 2026-03-18T02:14:33.7654321

The $SI Created timestamp (June 2025) is nine months before the $FN Created timestamp (March 2026). This temporal inversion — $SI Created being earlier than $FN Created — is physically impossible under normal NTFS operation because both timestamps are set from the same system clock at the same moment during file creation.

Your options: (A) Conclude the system clock was wrong in June 2025 and was corrected before March 2026. (B) Conclude the $SI Created timestamp was modified after file creation to show a date nine months earlier than the actual creation — this is timestomping. The $FN Created timestamp reflects the real creation time. (C) Conclude the file was moved from another volume, which reset the $SI Created timestamp but preserved $FN Created from the original volume.

The correct answer is B. A cross-volume move (option C) would reset both $SI Created and $FN Created to the time of the copy operation — it would not cause $SI Created to be earlier than $FN Created. A clock correction (option A) would affect all files created during the clock-wrong period, not just this one. The temporal inversion ($SI Created before $FN Created) is a definitive timestomping indicator: the attacker created the file on March 18, 2026, then set the $SI Created timestamp back to June 2025 to blend with older files in the directory.

$FN timestamp update behavior

Understanding exactly when $FN timestamps update (and when they don't) is essential for interpreting them correctly in investigations.

$FN Created: Set once when the file is created. Never updated by normal file operations. Editing the file, changing permissions, moving the file within the same volume, renaming the file — none of these update $FN Created. The only operations that set $FN Created are file creation (new file or copy) and tunnel-cache operations (described below).

$FN Modified: Updated when the file's data is modified AND the parent directory's $INDEX entry is updated to reflect the new size. In practice, this means $FN Modified tracks data changes that change the file's displayed size in the directory listing. Small edits that don't change the allocated size may not trigger a $FN Modified update. Large writes that extend or truncate the file do trigger it.

$FN Entry Modified: Updated when the MFT record is modified in a way that affects the directory index. This is less frequently updated than $SI Entry Modified — internal MFT changes that don't affect the directory listing don't trigger a $FN Entry Modified update.

$FN Accessed: Follows the same access-update rules as $SI Accessed (disabled by default on Windows 10/11).

The key forensic takeaway: $FN Created is the most stable timestamp in NTFS. On a file that has not been subject to timestomping or tunnel-cache effects, $FN Created reflects the actual time the file was created on this volume. It is the timestamp to trust when $SI timestamps are in question.

The NTFS tunnel cache

There is one legitimate mechanism that can cause $FN timestamps to show unexpected values: the NTFS tunnel cache. When a file is deleted and a new file is created with the same name in the same directory within 15 seconds (the default tunnel cache timeout), NTFS copies the deleted file's $FN timestamps to the new file. This is designed to preserve timestamp continuity during save operations where applications delete the original file and write a new one with the same name (a common save pattern in older applications).

The tunnel cache can cause forensic confusion: a file appears to have a $FN Created timestamp from a previous file that occupied the same name. The effect is time-limited (15 seconds) and name-specific (the new file must have the same name as the deleted file). In practice, the tunnel cache most commonly affects files saved by applications that use delete-and-replace save patterns. It does not affect files created with new names, files created more than 15 seconds after a deletion, or files created in different directories.

For the forensic examiner, the tunnel cache means that $FN timestamps are highly reliable but not absolute. When a $FN Created timestamp seems inconsistent with other evidence (particularly when it is older than expected), consider whether the file's name was previously used by another file in the same directory. USN Journal analysis (WF2) can confirm or rule out this scenario by showing the deletion of the previous file and the creation of the new one within the tunnel cache window.

Try it: Compare $SI and $FN timestamps

Using MFTECmd output from a KAPE collection (or the lab data provided with this module), open the CSV in Timeline Explorer and add columns for both $SI and $FN timestamps. Filter or sort to identify records where $SI Created differs from $FN Created.

1. Sort the MFTECmd output by the "Created0x10" column ($SI Created) and "Created0x30" column ($FN Created). 2. Look for records where $SI Created is significantly earlier than $FN Created (temporal inversion — strong timestomping indicator). 3. Look for records where $SI Created has zero fractional seconds but $FN Created has non-zero fractional seconds (precision anomaly — moderate timestomping indicator). 4. Look for records where $SI Created and $FN Created are identical to the nanosecond (normal — no timestomping detected). 5. For any anomalies found, examine the file path, size, and other attributes to assess whether the file warrants deeper investigation.

In the lab evidence for INC-NE-2026-1022 (ransomware scenario), you should find several files with timestomped $SI values. The attacker set $SI Created timestamps on their tools to match legitimate system files, but the $FN Created timestamps reveal the real creation time during the intrusion window.

Multiple $FN attributes per record

An MFT record can contain multiple $FILE_NAME attributes. The most common case is a file with both a Win32 long filename and a DOS 8.3 short filename — two $FN attributes, one with namespace 0x01 (Win32) and one with namespace 0x02 (DOS). Files with short names that fit DOS requirements have a single $FN attribute with namespace 0x03 (Win32+DOS).

When walking the attribute chain in hex, don't stop at the first $FN attribute. Continue walking and collect all $FN attributes. Compare the timestamps across them — they should be identical under normal conditions. If they differ, the file has undergone an unusual operation that updated one $FN attribute without the other, which is forensically interesting.

Hard links create additional $FN attributes. Each hard link adds a $FN attribute with a different parent directory reference and potentially a different filename. The timestamps in each $FN attribute reflect when that particular hard link was created. This means a hard-linked file can have $FN attributes with different timestamps — the oldest $FN Created timestamp corresponds to the original filename, and newer $FN Created timestamps correspond to hard links added later.

The hard link count in the MFT record header (offset 0x12) tells you how many $FN attributes to expect. If the hard link count is 1, expect one or two $FN attributes (Win32 + optional DOS). If the hard link count is 2, expect an additional $FN attribute for the hard link. If the hard link count is higher, the file has multiple hard links and the $FN attributes reveal where each link points.

You find a suspicious executable with the following MFT data: hard link count = 1, two $FILE_NAME attributes (namespace 0x01 and 0x02). The Win32 $FN has filename "svchost-update.exe" with $FN Created = 2026-03-18T02:14:33.7654321. The DOS $FN has filename "SVCHO~1.EXE" with $FN Created = 2026-03-18T02:14:33.7654321. The $SI Created = 2024-11-15T09:30:00.0000000. What does this evidence show?

The file was originally created in November 2024 and has two names due to an application compatibility requirement — the timestamps are consistent with a legitimate system file.

The file has been renamed from its original DOS name to the current Win32 name, which updated the $FN timestamps but not the $SI timestamps.

The file was created on March 18, 2026 (both $FN Created timestamps confirm this). The $SI Created timestamp of November 2024 is timestomped — it was set to a date 16 months before the actual creation to make the executable blend with legitimate system files. The zero fractional seconds on $SI Created and the 16-month temporal inversion between $SI Created and $FN Created are both strong timestomping indicators. The filename "svchost-update.exe" is designed to look like a legitimate Windows update — combined with the timestomping, this is consistent with attacker tradecraft to disguise a malicious executable.

The $FN timestamps are affected by the NTFS tunnel cache — a file named "svchost-update.exe" was deleted and recreated within 15 seconds, preserving the old $SI timestamps but generating new $FN timestamps.

Operational Artifact — $FILE_NAME Timestamp Comparison Method for Timestomping Detection

This subsection establishes the $SI-versus-$FN timestamp comparison as the primary method for detecting timestomping in MFT analysis. The method is: for every file central to your investigation, compare $SI Created (Created0x10 in MFTECmd output) against $FN Created (Created0x30). Three indicators flag potential timestomping: (1) temporal inversion — $SI Created earlier than $FN Created, (2) precision anomaly — $SI timestamps with zero fractional seconds when $FN has full nanosecond precision, (3) temporal gap — $SI Created and $FN Created differ by more than a few seconds with no corresponding USN Journal entry explaining the discrepancy. This comparison should be performed on every key evidence file in legal, regulatory, and insurance investigations. Document the comparison in your methodology section as evidence that you verified timestamp integrity.

You've built the foundations of artifact-level forensic analysis.

WF0 gave you the taxonomy, NTFS architecture, and the five-step methodology. WF1 took you inside the MFT at the binary level — every attribute, every timestamp, every edge case. From here, every artifact category gets the same raw-first treatment.

WF2–WF10: every major Windows artifact decoded at binary level — USN Journal, Prefetch, Amcache, Shimcache, ShellBags, LNK, Jump Lists, SRUM, Event Logs, and the Registry hives
INC-NE-2026-0915 (WF13) — Insider data exfiltration capstone. Work the complete investigation from USB history to OneDrive exfiltration evidence
INC-NE-2026-1022 (WF14) — Ransomware capstone. Three-host triage (FIN01 → IT03 → FS01) across the 72-hour attack chain
The lab pack — 25+ realistic evidence files in 10 formats, simulated KAPE triage pre-populated, both capstones deployable to your own VM
Anti-forensic detection methodology — defeat timestomping, log clearing, and Prefetch deletion with cross-artifact correlation

Unlock with Specialist — £25/mo See Full Syllabus

Cancel anytime

← Previous Next →