Cyber Forensics: Analyzing Data Streams in NTFS

Students will learn how to add both resident (less than 512 bytes) data and non-resident (greater than 512 bytes) data in the Alternate data streams using the simple Echo command in command prompt.

Students will learn about the basics, usage and history of Alternate Data Streams

In this lecture students will learn how to analyze the resident and non-resident data in the ADS with the help of WinHex (a common hex editor). Moreover, they will also get to find and analyze the long and short filenames of the file under examination. They will be able to locate the Logical Cluster Number which stores the non-resident data whereas they can locate resident data within the MFT

In this lecture the students will verify the presence of the non-resident data outside the MFT and inside the cluster whose address has been provided in the previous lecture from within the MFT. Students will use HxD which is another open-source Hex Editor for this purpose.

In this lecture students will first add non-resident data in the primary data stream and both resident and non-resident data in the ADS. They will then use WinHex to analyze the new file, its filenames, all types of data. They will be able to locate the Cluster number which stores the primary stream's data outside the MFT.

In this lecture students will use HxD in order to verify the presence of non-resident data at the specified cluster and sector number