Notes - MCS
Computer Systems Forensic Analysis
Notes - MCS
Computer Systems Forensic Analysis
  • Computer Systems Forensic Analysis
  • Overview of Cybercrime
    • Cyberspace
    • Information Security Principles
    • Cybercrime vs. Computer Crime
    • Cybercrime slang
      • Images
    • Digital Evidence
  • Introduction to Digital Forensics
    • Concepts
    • Digital Forensic
    • Digital Investigation
    • Digital Crime Scene Investigation Methodology
    • Digital Evidence Handling
    • Ethical Code
  • Obtaining Evidences
    • Introduction
    • Boot Process
    • Secuere Boot Process
    • Windows Boot Process
    • Forensic Boot Tools
    • Bootable CD-ROMS - Linux Based
    • ADS
    • Forensic Sorting Tools
    • Forensic Acquisition
    • Dealing With Media Errors
    • Hidden Areas
    • Write Protection of Evidence Media
    • Storing Acquired Data
    • Image File Acquisition
    • Hash Values
  • Data Organization
    • Data Organization
    • File System
    • File Content
    • Endianness
    • Character Encoding
    • Data Structures
    • Date and Time
    • Encoding
  • Storage Devices
    • BIOS versus direct access
    • Hard Disk Geometry
    • Advanced Technology Attachment Interface
      • Device Configuration Overlay
    • Small Computer Systems Interface
    • NAND Flash memory
    • Level wearing
    • HDD vs SSD
    • Pen USB vs SSD Comparison
    • SSD Connectors, Interfaces, and Transfer Protocols
  • Volumes and Partitions
    • Concepts
    • Partition Tables
    • Sectors Addresses
    • Logical addresses
    • Volume Analysis
    • Types of Partition Tables
    • Common Partition Tables (MBR)
    • Boot Code
    • MBR examination
    • Removable Storage
    • Common Partition Tables (GPT)
    • Common Partition Tables (BSD)
    • Volumes’ Aggregation
  • RAM Analysis
    • RAM Analysis
    • General Computer Architecture
    • DMA – Direct Memory Access
    • Paging
    • Memory Acquisition
  • Mobile Forensics
    • Forensic value of phones
    • International Mobile Equipment Identifier
    • Potential Evidence
    • Forensics Dangers
    • Data Acquisition
    • Logical acquisition
    • Physical acquisition
    • Hashing
    • Software tools
  • Open Source INTelligence
    • Classical sources of information and intelligence
    • Evolution of OSINT - Open Sources Intelligence
    • Information sources
    • Closed source of information
    • Open sources
    • Information to Intelligence Cycle
    • Skills of the Analyst
    • Open Source Possibilities
    • Automated Processing
    • DarkNet
  • Documentation and Reporting
    • Introduction
    • Physical examination
    • Examining a computer
    • Media Examination
    • Examples of things to write in the report
    • Forensic Report
Powered by GitBook
On this page
  1. Obtaining Evidences

ADS

ADS (Alternate Data Streams)

Alternate Data Streams (ADS) are a file attribute only found on the NTFS (New Technology File System).

In this system a file is built up from a couple of attributes, one of them is $Data, aka the data attribute.

Looking at the regular data stream of a text file it simply contains the text inside the text file.

But that is only the primary data stream.

This one is sometimes referred to as the unnamed data stream since the name string of this attribute is empty ( “” ) . So any data stream that has a name is considered alternate.

These data streams suffer from a bad reputation since they have been used and abused to write hidden data. Varying from data about where a file came from to complete malware files (e.g. Backdoor.Rustock.A)

ADS is stored inside the NTFS MFT (Master File Table), next to other files attributes, like creation time and date.

Use FTK Imager to identify ADS info.

Last updated 1 year ago