Event Observation of Date-time Stamps for ADS Reconstruction

Abstract

Alternate Data Streams (ADS) is a method of information hiding that is only possible on NTFS file systems. Criminals are using it to hide data because the ADS can hide any size and type of data in NTFS file system. ADS is invisible to users. However, ADS operation updates the temporal attribute of cover medium, which could be a trace for ADS evaluating. Cover medium indicates to the file/folder which is used for ADS operation (creating, modifying and overwriting). In general file/folder operation, if we create (archive/copy) a file into folder, it updates certain timestamps attributes of folder and file itself. Same result takes place when modifying/overwriting the file within folder. Based on this concept, we took a file within folder as a cover medium and applied some operations (create, modify and overwrite) on it to observe the timestamps variation on both folder and cover medium.