07.17.06
Article on Dissecting NTFS Hidden Streams
NII Consulting’s Chetan Gupta (GCFA) has published an article at ForensicFocus on the Alternate Data Streams in NTFS, and how these can be detected.
This article discusses a “…particular feature of this file system which was designed to offer compatibility with Macintosh Hierarchical File System (HFS) and store additional data called metadata for a file. This feature is known as Alternate Data Streams (ADS). The Macintosh file system stores its data in two parts, the resource fork and the data fork. The data fork is where the data is actually contained and the resource fork tells the operating system how to interpret the data fork. Alternate Data Streams is the Microsoft way of implementing resource fork. The ADS is a hidden stream in addition to the regular data stream which contains the main data for the file. This hidden stream contains metadata for the file such as the file access/modification times, attributes etc. ”
Click here to read more.
AuditPro™ - Comprehensive enterprise security assessment solution for critical asset identification, policy compliance, risk analysis, real time vulnerability views, graphical progress analysis and more.
keydet89 Said:
August 1, 2006 at 12:43 pm
Quick question, guys…your Properties tag (first image) shows a file with a .doc extension. Is this an MSWord document? If so, the properties aren’t maintained in an ADS, but within the OLE document itself.
Harlan