Identifying Temporal Patterns Using ADS in NTFS for Digital Forensics

  • Da-Yu Kao
  • Yuan-Pei Chan
Conference paper
Part of the Advances in Intelligent Systems and Computing book series (AISC, volume 733)


The storage and handling of alternate data stream (ADS) in NTFS have posted significant challenges for law enforcement agencies (LEAs). ADS can hide data as any formats in additional $DATA attributes of digital file. The process of data content will update some metadata attributes of date-time stamp in files. This paper introduces ADS and reviews the literature pertaining to the forensic analysis of its data hiding. It describes some temporal patterns for evaluating if ADS are hidden in digital files or not. The analysis of file metadata assists in accurately correlating activities from date-time stamp evidence. The results demonstrate the effectiveness of temporal patterns for digital forensics across various types of file operations.


Alternate data stream Date-time stamp Digital forensics Temporal patterns NTFS 



This research was partially supported by the Executive Yuan of the Republic of China under the Grants Forward-looking Infrastructure Development Program (Digital Infrastructure-Information Security Project-107) and the Ministry of Science and Technology of the Republic of China under the Grants MOST 106-2221-E-015-002-.


  1. 1.
    Arnes, A.: Digital Forensics, pp. 147–190. Wiley, Hoboken (2017)Google Scholar
  2. 2.
    Carrier, B.: File System Forensic Analysis, pp. 273–396. Pearson Education Inc., London (2005)Google Scholar
  3. 3.
    Casey, E.: Handbook of Digital Forensics and Investigation, pp. 209–300. Elsevier Inc., Amsterdam (2010)Google Scholar
  4. 4.
    Casey, E.: Digital Evidence and Computer Crime: Forensic Science, Computers, and the Internet, 3rd edn., pp. 187–306. Elsevier Inc., Amsterdam (2011)Google Scholar
  5. 5.
    Chow, K.P., Law, F.Y.W., Kwan, M.Y.K., Lai, K.Y.: The rules of time on NTFS file system. In: 2nd International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE), Bell Harbor, WA, USA, 10–12 April 2007Google Scholar
  6. 6.
    Ding, X., Zou, H.: Reliable Time Based Forensics in NTFS, pp. 1–2. School of Software, Shanghai Jiao Tong University (2010)Google Scholar
  7. 7.
    Kao, D.Y.: Cybercrime investigation countermeasure using created-accessed-modified model in cloud computing environments. J. Supercomput. Spec. Issue Emerg. Platf. Technol. 1–20 (2015)Google Scholar
  8. 8.
    Krahl, K.M.: Using Microsoft Word to Hide Data. Thesis, pp. 1–13. Utica College, ProQuest Dissertations Publishing (2017)Google Scholar
  9. 9.
    Mahajan, R.: Design and Development of Improved Stealth Alternate Data Streams. Thesis, pp. 6–42. Thapar University, Patiala, India (2014)Google Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  1. 1.Department of Information ManagementCentral Police UniversityTaoyuan CityTaiwan, ROC

Personalised recommendations