Article on Dissecting NTFS Hidden Streams

NII Consulting’s Chetan Gupta (GCFA) has published an article at ForensicFocus on the Alternate Data Streams in NTFS, and how these can be detected.

This article discusses a “…particular feature of this file system which was designed to offer compatibility with Macintosh Hierarchical File System (HFS) and store additional data called metadata for a file. This feature is known as Alternate Data Streams (ADS). The Macintosh file system stores its data in two parts, the resource fork and the data fork. The data fork is where the data is actually contained and the resource fork tells the operating system how to interpret the data fork. Alternate Data Streams is the Microsoft way of implementing resource fork. The ADS is a hidden stream in addition to the regular data stream which contains the main data for the file. This hidden stream contains metadata for the file such as the file access/modification times, attributes etc. ”
Click here to read more.

Author


2 comments

Quick question, guys…your Properties tag (first image) shows a file with a .doc extension. Is this an MSWord document? If so, the properties aren’t maintained in an ADS, but within the OLE document itself.

Harlan

I would appreciate if you could answer to these questions so I can send hard drive for forensics:
1. Few files & folders had been hidden in My Documents on a PC. These are now un-hidden.

Can Forensic software tell about these files & folders:
a. Were these files & folders ever hidden
b. When were these files & folders hidden
c. Where were these files & folders hidden.
d. When these files & folders were un-hidden.

2. A computer’s date & time was changed and now reset to current time.
Does a computer keep a log of this date & time change.
If yes, where?

Thank
Amita

Leave a Reply

Your email address will not be published. Required fields are marked *