Forums
Main Category
General (Technical,...
Alternate Data Stre...
 
Notifications
Clear all

Alternate Data Streams

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by Anonymous 13 years ago
3 Posts
3 Users
0 Reactions
832 Views
RSS
 shakes
(@shakes)
New Member
Joined: 13 years ago
Posts: 2
Topic starter 03/08/2013 9:01 pm   [#10860]

Is there an offset in any of the attribute headers, attributes, or MFT header that tells you if a file as an ADS?



   
Quote
jaclaz
 jaclaz
(@jaclaz)
Illustrious Member
Joined: 19 years ago
Posts: 5133
03/08/2013 9:10 pm  

Check this
http//www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=8010
http//code.google.com/p/mft2csv/
http//code.google.com/p/mft2csv/wiki/mft2csv
http//code.google.com/p/mft2csv/wiki/ExtractAllAttributes

jaclaz



   
ReplyQuote
 Anonymous 6593
(@Anonymous 6593)
Joined: 18 years ago
Posts: 1158
03/08/2013 9:55 pm  

Is there an offset in any of the attribute headers, attributes, or MFT header that tells you if a file as an ADS?

You want the $DATA attribute(s) in the $MFT record. The nameless $DATA is the 'standard file contents' (there can be only one of these), while any named $DATA streams are what usually are refered to as ADSs .

You probably also want Brian Carrier's book 'File System Forensic Analysis'.



   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: