Dealing with Alternate Data Streams

You are, by now, familiar with the $DATA attribute. It is used to contain either the resident data of the file or to contain the runlist information pointing to the clusters containing the nonresident data. That sounds simple enough, except for the fact that you can have more than one $DATA attribute. When more than one of these are present, they are referred to as alternate data streams (ADSs). When data is inserted into an ADS, it is not visible to the user, even if the user has administrator rights, making an ADS an ideal place for an intruder to hide data and make use of it. As an intrusion investigator, you must be aware of this capability when dealing with a Windows system using NTFS.

Because an ADS depends ...

Get Mastering Windows Network Forensics and Investigation, 2nd Edition now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.