Reconstructing ADS data hiding in windows NTFS: A temporal analysis

Abstract

The Windows NTFS file system supports for alternate data streams (ADS) to provide compatibility with files in the Macintosh file system. ADS can be used for hidden channels of storing and exchanging information on machines without altering their original functionality or contents. Executables in ADS can be executed from the command line. It is common for attackers to hide malware in cover media (files or folders) by ADS creation, modification or overwriting. The temporal information is significant when the computer is on. The attributes of $SI and $FN in the Master File Table (MFT) hold the following four forensically interesting EMAC-time stamps. Timestamp dynamics refers to any influence that adds, changes, obscures, contaminates, or obliterates timestamps, regardless of intent. Getting precise information about the file metadata in the MFT is important to the assessment of the scenario of the offense.The study of file metadata and ADS manipulation assists in establishing timestamp patterns and correlating activities from timestamp evidence. Some experimental processes were conducted to identify EMAC-time stamps in $SI and $FN, collect experimental observations in MFT, examine hidden channels, analyze timeline scenario, and present artifacts and non-artifacts to reconstruct the incident. This study explores the temporal analysis facing the law enforcement community and discusses the application of Forensic Toolkit (FTK) software to copy with the increasingly ADS feature in digital forensic investigations. This study also establishes some timestamp rules on ADS manipulation, enhances the performance of investigations, and helps investigators reconstruct an incident. It is beneficial for investigators to evaluate an accident if an attacker has manipulated ADS to conceal his offense.