2007-12-08 eDiscovery Question - Do You Know the Way to ADS (Alternate Data Streams)?

Engineered into Windows since NT 3.1 (circa 1993) Alternate Data Streams was developed by Microsoft to allow for better compatibility with HFS (Mac) file systems. When creating any NTFS file or folder, a separate data stream (sometimes known as a "fork") can be also created for that file or folder. Data stored in an NTFS stream becomes invisible to Windows Explorer, text searches, and most other Windows' routine file apps. One may then store a 5Gb .zip file inside the streamed 20k text file. Windows Explorer and most other apps will then only detect the 20k text file, and not the 5GB streamed .zip file. So, one can use ADS to hide data within other data or folders.

Interestingly enough, ADS will be stripped from a file if the file is emailed as an attachment, or if it is copied to a FAT 32 drive (such as a thumb or flash drive), a CD/RW or other non-NTFS file, the ADS will be stripped from the copy.

There are numerous detection, and some removal tools available. ADS Spy is an exampled of a freeware detection and removal tool: http://www.bleepingcomputer.com/files/adsspy.php Good forensics tools such as enCase, SleuthKit, SMART, and others provide capability to detect ADS where a the forensically extracted copy is also an NTFS based filed.

Keep in mind:

1. Search for ADS.
2. ADS may contain discoverable information.
3. ADS may bear obscure non-relevant seeming names.
4. ADS may be encrypted.
5. ADS will be stripped when file is converted/copied to non-NTFS.
6. Ask for presence of and/or have examiner search for common ADS removal tools
7. Vista has a native ADS detection tool. From command prompt, type "dir /r"