A Win32-based Technique for Finding and Hashing NTFS Alternate Data Streams
Alden A. Dima
As part of an effort to create new datasets for the computer forensic community, the National Software Reference Library created a simple Windows specific tool for internal use similar to md5deep, which is able to recursively walk an NTFS file system and generate cryptographic hashes for each file, encountered. Unlike md5deep, our tool is able to find and hash any alternate data streams associated with file and directories. Many computer security and forensics professionals view NTFS alternate file streams as a threat because they allow evidence to be hidden within the file system ¿behind¿ ordinary files and directories. At the same time, many common applications and utilities use alternate data streams to hold metadata. We needed the tool to find and hash all of the alternate data streams associated with each file and directory in the file system. This will help us identify alternate data streams that are benign and can be safely ignored by forensic investigators. We also desired a solution that relies only on the standard Win32 API and avoids using the nonstandard native Windows API that is subject to change with each Windows release. This paper will discuss the key implementation issues of this tool and shows that the key issue with writing tools to process alternate data streams lies in initially finding the alternate data streams and not with their subsequent processing.
alternate data streams, computer forensics, NTFS, Win32, Windows XP
A Win32-based Technique for Finding and Hashing NTFS Alternate Data Streams, DoD CyberCrime 2007 Conference, [online], https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=50914
(Accessed June 6, 2023)