NTFS Alternate Data Streams

The NTFS file system is the recommended file system for use with Windows servers. The file system has a number of advantages over the FAT file system, such as support for greater partition sizes, enhanced fault tolerance, and the ability to set permissions and auditing on directories and files. Since the beginning, the NTFS file system has included support for Apple's Hierarchical File System, or HFS. Files on HFS consist of two forks, a resource fork and a data fork. What this means is that on the NTFS file system, a file entry within the Master File Table (MFT) can have additional attributes, specifically additional streams associated with the primary stream.

To better understand what an alternate data stream (ADS) ...

Get Windows Forensics and Incident Recovery now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.