For this example above, I'd like to know what the "size" of attribute 0x80 mean. Is the size in hexadecimal or bytes? Also, how do you determine the length of the data run for the alternate data stream?
it is byte 80 is header of data
For this example above, I'd like to know what the "size" of attribute 0x80 mean. Is the size in hexadecimal or bytes?
Given that the image illustrates a hex dump of data, and that the attribute is displayed as "0x80", it seems to be in hexadecimal.
Also, how do you determine the length of the data run for the alternate data stream?
I'm not at all clear how the length of the data run is of value. I'd think you'd be more interested in the length of the content.
All attribute headers start with a 4 byte identifier (0x80 0x00 0x00 0x00 in this case) followed by a 4 byte size of attribute which includes header.
The size is of course represented in hex as a hexadecimal number. Using the size in this 0x58 which is 88 bytes.
Fort further information on attribute headers (and indeed all things NTFS) try here
https://