SANS Digital Forensics and Incident Response Blog: Author - qshamblin

Alternate Data Streams Overview

I'm sure it comes as no great shock that I am a member of a number of listserves on digital forensics. One question that seems to come up every few weeks is NTFS Alternate Data Streams. There have been many excellent articles on ADS, so I don't propose to go heavily into the details here. I will just include an overview and some of the better references. This is a basic overview. If you want more details, check out the links for some really good write-ups.

What are Alternate Data Streams?

Alternate Data Streams (ADS) have been around since the introduction of windows NTFS. They were designed to provide compatibility with the old Hierarchical File System (HFS) from Mac which uses something called resource forks. [http://www.securityfocus.com/infocus/1822


Three hard drive imaging tools

Capturing an image of a hard drive for purpose of further review and investigation is a common digital forensics activity. Here is a quick review of three of my favorites tools.

Hardcopy II


Hardcopy II

The VOOM Hardcopy II is a great general purpose hard drive imaging tool and is my go-to solution. It is fast, simple to use and can either image or clone if you prefer. The imaging rate of these is limited only by transfer rate of the suspect and evidence drives. I routinely see 2-3+ GB/minute imaging rates with newer drives. Expect to pay

...