Cyber Forensics: Analyzing Data Streams in NTFS
The course will help students to learn about the basics of Microsoft Windows File System (NTFS), the Master File Table (MFT) and how data is stored in data streams, both primary and alternate. Students will also get to differentiate between resident and non-resident data and learn how to hide data in the ADS. It would also enable students to analyze the data inside and outside of the MFT and to locate the specific cluster/sector on the hard disk where this data is actually stored. Moreover the students will be able to:
- Understand the basics of Alternate Data Streams (ADS), their usage and history
- Adding resident (less than 512 bytes) and non-resident (more than 512 bytes) data in both alternate and primary data streams
- Analyzing the resident data in any stream by locating it inside the MFT using a common Hex Editor
- Analyzing the non-resident data in any stream by locating its actual cluster and sector address on the disk
- Verifying the presence of non-resident data in any data stream with the help of another Hex Editor
- Practically experiment common Forensics tools and Hex Editors for analyzing data in the MFT and otherwise.
This course will turn out to be very useful for the students who want to understand the basics of computer forensics and file systems as it provides insight to analyzing data stored in the data streams.
Alternate Data Streams (ADS)
Primary Data Streams in NTFS
-
2
Adding Data to the Alternate Data StreamsStudents will learn how to add both resident (less than 512 bytes) data and non-resident (greater than 512 bytes) data in the Alternate data streams using the simple Echo command in command prompt.
-
3
Basics of Alternate Data Streams
Students will learn about the basics, usage and history of Alternate Data Streams
-
4
Analyzing Resident and Non-Resident Data in ADS
In this lecture students will learn how to analyze the resident and non-resident data in the ADS with the help of WinHex (a common hex editor). Moreover, they will also get to find and analyze the long and short filenames of the file under examination. They will be able to locate the Logical Cluster Number which stores the non-resident data whereas they can locate resident data within the MFT
-
5
Verifying Non-Resident ADS Data using HxD
In this lecture the students will verify the presence of the non-resident data outside the MFT and inside the cluster whose address has been provided in the previous lecture from within the MFT. Students will use HxD which is another open-source Hex Editor for this purpose.
-
6
Creating and Analyzing ADS Data
Be the first to add a review.
