Alternate data streams in forensic investigations of file systems backups

Derek Bem, Ewa Z. Huebner

    Research output: Chapter in Book / Conference PaperConference Paper

    Abstract

    ![CDATA[Backup utilities for the Windows environment are designed to work with the NTFS file format, but they typically provide only partial compatibility with Alternate Data Streams (ADSs)*. In particular, computer forensics tools are typically capable of discovering ADSs in the file system under investigation, but not necessarily in the backups of such file systems. We examined a number of commonly used backup utilities, and initially classified them into two broad categories: non-ADS aware (ADS lost during backup), and ADS aware. Further, we discovered that within the "ADS aware" category different tools behave differently, provide varying amounts of information about ADSs during backup/restore process, and often lose data. We propose a new classification of backup software based on the treatment of ADSs during backup and restore operations, and discuss its implications for forensic investigation of file system backups.]]
    Original languageEnglish
    Title of host publicationCurrent Computing Developments in E-Commerce, Security, HCI, DB, Collaborative and Cooperative Systems
    PublisherATINER
    Number of pages11
    ISBN (Print)9606672077
    Publication statusPublished - 2006
    EventInternational Conference on Computer Science and Information Systems -
    Duration: 1 Jan 2006 → …

    Conference

    ConferenceInternational Conference on Computer Science and Information Systems
    Period1/01/06 → …

    Keywords

    • computer forensics
    • Alternate Data Streams
    • NTFS
    • file systems
    • backup

    Fingerprint

    Dive into the research topics of 'Alternate data streams in forensic investigations of file systems backups'. Together they form a unique fingerprint.

    Cite this