Data hiding and ADS

- [Instructor] We just tried hiding data in a slack space, which was quite straightforward with the help of a tool. There are also many other ways to hide data in a file system. One of them is using the alternate data stream, or ADS, on Windows. ADS is an NTFS feature that allows users to store extra data streams in addition to the default file data. The original purpose of ADS was to mirror a similar feature found in hierarchical file system, or HFS, on MacOS. NTFS uses a concept called attributes. It sees a file as a collection of attributes, such as its name, security settings, and data. Each attribute has a unique ID called an attribute type code, and optionally a meaningful name. The master file table, or MFT, is the file table used to store these attributes in NTFS. As I mentioned earlier, the MFT contains attribute data that are both metadata and user data. An attribute that can fit within an MFT record is a resident attribute while non-resident attributes, such as the data attribute, require allocating clusters outside the MFT. NTFS allows multiple data attributes, enabling criminals to hide data in their own custom data streams, which are not obvious to end users. Today's digital forensics tools are ADS-aware, but investigators need to be knowledgeable about ADS to actively seek criminal use of these features. The default data stream is unnamed and used to save file data. We just tried hiding data in a slack space, which was quite straightforward with the help of a tool. There are also many other ways to hide data in a file system, including using the alternate data stream, or ADS, on Windows. ADS is an NTFS feature that allows users to store extra streams of data in addition to the default file data. The original purpose of ADS was to mirror a similar feature found in hierarchical file system, or HFS, on MacOS. NTFS uses a concept called attributes. It sees a file as a collection of attributes such as file name, security settings, and its data. Each has a unique ID called an attribute type code and, optionally, a meaningful name. The master file table, or MFT, is the file table used to store these attributes in NTFS. As I mentioned earlier, the MFT contains attribute data that are both metadata and user data. An attribute that can fit within an MFT record is a resident attribute while non-resident attributes, such as the data attribute, require allocating clusters outside the MFT. NTFS allows multiple data attributes, which is why criminals are able to hide data in their own custom data streams, which are not obvious to end users. The digital forensics tools in news today are ADS-aware, but it's important for you to be knowledgeable about ADS so that you're able to actively seek and use these features. The default data stream is unnamed and used to save file data. PowerShell is an enhanced version of the default command line interface, or CLI, on Windows OS. PowerShell is now part of the default Windows installation. To find PowerShell on Windows 10, start typing PowerShell in the search box like this. We can use PowerShell to display all the data streams associated with a specific file. Let's first go to my pictures folder by typing cd pictures. Press Enter. Type dir. I'm going to be using the hacker.jpeg file for my demonstration. Type Get-Item, the file name, which is hacker.jpeg, - stream *. Press Enter. The output shows that there's only one data stream associated with the file. In addition to simply displaying data streams, we can also add new ones. Let's take a closer look at this in our next lesson. I hope you're excited.