Re: [sleuthkit-users] NTFS ADS

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On 05 Jun 2003 02:54 PDT you wrote:

> Hi all,
> are NTFS ADS implemented in the ntfs driver from task? How can I detect
> those NTFS streams in Linux? Thanks!

Yes, all NTFS attributes can be seen with The Sleuth Kit.  An ADS is simply a second $Data attribute for a file or directory and you can view the contents of any file attribute (i.e. the FILE_NAME or STANDARD_INFORMATION attribute).  

An ADS in The Sleuth Kit has the format of 'file_name:ads_name'.  So, if you are using the command line, you can use the following to see just the ADS:

fls -f ntfs -rp img.dd | grep ":"

Autopsy does not have any way to extract just the ADS, but they are shown in the parent directory.  

brian