Author(s): Sameer H. Mahant, B.B.Meshram
Published in: International Journal of Engineering Research & Technology
License: This work is licensed under a Creative Commons Attribution 4.0 International License.
Volume/Issue: Vol.1 - Issue 4 (June- 2012)
The NTFS file system is the most commonly used file system for Microsoft°«s operating systems. Its Alternate Data Streams (ADS) feature allows the user to hide data in the file system, thus the forensic investigator cannot neglect this fact while doing forensic investigation. The ADS present in deleted file may get overlooked as it is less known in forensic experts. In this paper we have discussed the various methods to hide user°«s data in ADS, showed the locations where user can create ADS and where should forensic examiner find such hidden evidences. We have also presented how we can modify, delete and retrieve data hidden in ADS and impact of different versions of operating systems on them. Finally we have presented a tool that we have implemented for investigator to find out data hidden in ADS and compared its features with other tools that are available in market.
Number of Citations for this article: Data not Available
7 Paper(s) Found related to your topic: