Here are some examples
"Zone.Identifier" is a stream that Internet Explorer adds to files that are downloaded from the Web. The contents are simple "[ZoneTransfer]<cr><lf>ZoneId=3<cr><lf>" I haven't seen any other ZoneId's used yet.
"AFP_AfpInfo" is a stream related to files copied from a Macintosh system. The contents are binary and start with "AFP". The Mac application codes are at offset 0x10 and 0x14. They could be used to help identify a file if you trust them.
"OECustomProperty" is a stream added by Outlook Express to stor custom properties associated with the file.
"encryptable" is a stream that I have seen added to a few files, but it is always empty, and I don't know yet what is adding it.
"favicon" is an icon attached as a stream on .URL files to hold the icon that the web site uses. This is another stream added by Internet Explorer when you create a shortcut to a web site.
"|Q30lsldxJoudresxAaaqpcawXc" is a stream I've found on some image files. It is a text files encoded as UTF-16BE, and appears to be a thumbnail image of the host file. I think MS Paint may be adding these.
Does anyone have some more examples? I haven't spent much time looking into this yet.
Rob,
Thanks. Most of the examples you gave are ADSs added by various applications, rather than the operating itself.
Your last example is an ADS added to images by the Indexing Service. Many of the other ADSs you mention that are added by applications are covered on pp. 314-320 of WFA 2/e.
Do you have any specific examples of ADSs added by the operating system itself, and not by applications?
Again, thanks for what you've provided so far.
This may come useful
ADS is a utility to help you finding, inspecting and (optionally) removing Alternate Data Streams from your NTFS disks.
http//
(among many others)
Besides LADS and Streams, this can be nice
http//
An article right here
http//www.forensicfocus.com/dissecting-ntfs-hidden-streams
And this is a good reference paper.
http//
I guess that those thumbnails come from this
http//
jaclaz
keydet89,
By saying "added by the operating system", I meant applications that are bundled with each Microsoft OS. While the "encryptable" stream looks like it is directly from the OS (not applications), the rest of my list result from bundled applications and are also non-malicious.
What is "WFA 2/e"? I have a "Windows Forensics" book, but not that one.
I do not have any more examples of ADSs today.
jaclaz,
Those were some good links, thank you.
Rob
What is "WFA 2/e"?
Windows Forensic Analysis, second edition
http//
Great links Bozidar.
Thanks