Viewing ADS (Alternate Data Streams)
Posted by Jack H. Ward on 09 July 2019 12:06 PM

ADS: Short for alternate data stream, a function of the Microsoft NTFS file system in which files can be embedded in other files while remaining invisible to the user.

Electronic Evidence Examiner allows you to view a file ADS as separate files. Their names are displayed as main file name: ADS name.

The ADSs of the file are displayed in the Data View pane as separate files under the main file.

The creation time, last access time, last change time and last modification time for ADS files are not displayed.

The allocated length for them is the same as for the main file.

The file size value for them may differ.

When you double-click an ADS file, it is not parsed, but the parsed main file contains $DATA and $FILE_SLACK attributes for each ADS file which is stored in it.

As with any other file, embedded files can be viewed in the Hex, Text and File viewers. Their file slack is displayed in the File Slack viewers.

(0 vote(s))
Not helpful

Comments (0)