O'Reilly logo

Mastering Windows Network Forensics and Investigation, 2nd Edition by Scott Pearson, Ryan Johnson, Steve Bunting, Steven Anson

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Dealing with Alternate Data Streams

You are, by now, familiar with the $DATA attribute. It is used to contain either the resident data of the file or to contain the runlist information pointing to the clusters containing the nonresident data. That sounds simple enough, except for the fact that you can have more than one $DATA attribute. When more than one of these are present, they are referred to as alternate data streams (ADSs). When data is inserted into an ADS, it is not visible to the user, even if the user has administrator rights, making an ADS an ideal place for an intruder to hide data and make use of it. As an intrusion investigator, you must be aware of this capability when dealing with a Windows system using NTFS.

Because an ADS depends ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required