AF-1DFB-D2 · Disk
Slack and ADS
Data hidden in NTFS Alternate Data Streams and file slack, a simple wipe and a decoy file.
Scenario
The suspect used NTFS ADS and file slack to keep data out of sight. Extract the hidden payload, detect the ADS, and prove the wiped file's prior existence from the $MFT. A decoy file with a misleading name is present.
Anti-forensics techniques
- Alternate Data Streams (ADS)
- File slack hiding
- Simple file wipe
Provided artifacts
- NTFS disk image (E01)
Sample questions
- What is the content hidden in the ADS?
- Extract the slack-space payload and give its hash.
- Deleted file's original name and size (from $MFT)?
Soundness trap
Reporting the decoy file as 'the key evidence' is wrong; its content is irrelevant.
Scoring
Data-hiding findings + decoy discrimination (soundness).
Artifact coming soon. The downloadable artifact for this case is generated by our instrumented-VM pipeline and released with the F0 pilot.