Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

A Win32-based Technique for Finding and Hashing NTFS Alternate Data Streams

Published

Author(s)

Alden A. Dima

Abstract

As part of an effort to create new datasets for the computer forensic community, the National Software Reference Library created a simple Windows specific tool for internal use similar to md5deep, which is able to recursively walk an NTFS file system and generate cryptographic hashes for each file, encountered. Unlike md5deep, our tool is able to find and hash any alternate data streams associated with file and directories. Many computer security and forensics professionals view NTFS alternate file streams as a threat because they allow evidence to be hidden within the file system ¿behind¿ ordinary files and directories. At the same time, many common applications and utilities use alternate data streams to hold metadata. We needed the tool to find and hash all of the alternate data streams associated with each file and directory in the file system. This will help us identify alternate data streams that are benign and can be safely ignored by forensic investigators. We also desired a solution that relies only on the standard Win32 API and avoids using the nonstandard native Windows API that is subject to change with each Windows release. This paper will discuss the key implementation issues of this tool and shows that the key issue with writing tools to process alternate data streams lies in initially finding the alternate data streams and not with their subsequent processing.
Conference Title
DoD CyberCrime 2007 Conference

Keywords

alternate data streams, computer forensics, NTFS, Win32, Windows XP

Citation

Dima, A. (2007), A Win32-based Technique for Finding and Hashing NTFS Alternate Data Streams, DoD CyberCrime 2007 Conference, [online], https://tsapps.nist.gov/publication/get_pdf.cfm?pub_id=50914 (Accessed December 11, 2024)

Issues

If you have any questions about this publication or are having problems accessing it, please contact reflib@nist.gov.

Created January 24, 2007, Updated February 17, 2017