IJERT-EMS
IJERT-EMS

ADS Examiner: Tool for NTFS Alternate Data Streams Forensics Analysis


ADS Examiner: Tool for NTFS Alternate Data Streams Forensics Analysis
Authors : Sameer H. Mahant, B.B.Meshram
Publication Date: 01-07-2012

Authors

Author(s):  Sameer H. Mahant, B.B.Meshram

Published in:   International Journal of Engineering Research & Technology

License:  This work is licensed under a Creative Commons Attribution 4.0 International License.

Website: www.ijert.org

Volume/Issue:   Vol.1 - Issue 4 (June- 2012)

e-ISSN:   2278-0181

Abstract

The NTFS file system is the most commonly used file system for Microsoft°«s operating systems. Its Alternate Data Streams (ADS) feature allows the user to hide data in the file system, thus the forensic investigator cannot neglect this fact while doing forensic investigation. The ADS present in deleted file may get overlooked as it is less known in forensic experts. In this paper we have discussed the various methods to hide user°«s data in ADS, showed the locations where user can create ADS and where should forensic examiner find such hidden evidences. We have also presented how we can modify, delete and retrieve data hidden in ADS and impact of different versions of operating systems on them. Finally we have presented a tool that we have implemented for investigator to find out data hidden in ADS and compared its features with other tools that are available in market.

Citations

Number of Citations for this article:  Data not Available

Keywords

Key Word(s):    

Downloads

Number of Downloads:     1508
Similar-Paper

Call for Papers - May - 2017

        

 

                 Call for Thesis - 2017 

     Publish your Ph.D/Master's Thesis Online

              Publish Ph.D Master Thesis Online as Book