ADS Examiner: Tool for NTFS Alternate Data Streams Forensics Analysis

ADS Examiner: Tool for NTFS Alternate Data Streams Forensics Analysis
Authors : Sameer H. Mahant, B.B.Meshram
Publication Date: 01-07-2012


Author(s):  Sameer H. Mahant, B.B.Meshram

Published in:   International Journal of Engineering Research & Technology

License:  This work is licensed under a Creative Commons Attribution 4.0 International License.

Website: www.ijert.org

Volume/Issue:   Vol.1 - Issue 4 (June- 2012)

e-ISSN:   2278-0181


The NTFS file system is the most commonly used file system for Microsoft°«s operating systems. Its Alternate Data Streams (ADS) feature allows the user to hide data in the file system, thus the forensic investigator cannot neglect this fact while doing forensic investigation. The ADS present in deleted file may get overlooked as it is less known in forensic experts. In this paper we have discussed the various methods to hide user°«s data in ADS, showed the locations where user can create ADS and where should forensic examiner find such hidden evidences. We have also presented how we can modify, delete and retrieve data hidden in ADS and impact of different versions of operating systems on them. Finally we have presented a tool that we have implemented for investigator to find out data hidden in ADS and compared its features with other tools that are available in market.


Number of Citations for this article:  Data not Available


Key Word(s):    


Number of Downloads:     1533

Call for Papers - May - 2017



                 Call for Thesis - 2017 

     Publish your Ph.D/Master's Thesis Online

              Publish Ph.D Master Thesis Online as Book