What does ADS stand for in Windows forensic terminology?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Prepare for the Computer Hacking Forensic Investigator v11 exam. Study with flashcards and multiple choice questions. Each question includes hints and explanations. Get exam-ready efficiently!

Multiple Choice

What does ADS stand for in Windows forensic terminology?

Explanation:
In Windows forensics, ADS refers to Alternate Data Streams. NTFS lets a file have multiple data streams beyond the main, visible content. The primary stream holds the normal file data, while additional streams can store extra data that isn’t shown in standard file listings. This feature can be used to hide information or metadata inside a file, which is why investigators examine ADS to uncover concealed content. Detecting and examining these streams is important because you might find hidden payloads, notes, or exfiltrated data attached to legitimate files using a stream name, as in a file:value syntax. Forensic tools and commands can enumerate and extract these streams so you can see what’s hidden and correlate it with other evidence. The other options don’t fit Windows forensic terminology for this concept: they don’t describe the hidden data capability NTFS provides. AFS refers to a different file system, White space isn’t the term used for hidden data streams, and Slack space relates to unused disk space, not additional data streams attached to a file.

In Windows forensics, ADS refers to Alternate Data Streams. NTFS lets a file have multiple data streams beyond the main, visible content. The primary stream holds the normal file data, while additional streams can store extra data that isn’t shown in standard file listings. This feature can be used to hide information or metadata inside a file, which is why investigators examine ADS to uncover concealed content.

Detecting and examining these streams is important because you might find hidden payloads, notes, or exfiltrated data attached to legitimate files using a stream name, as in a file:value syntax. Forensic tools and commands can enumerate and extract these streams so you can see what’s hidden and correlate it with other evidence.

The other options don’t fit Windows forensic terminology for this concept: they don’t describe the hidden data capability NTFS provides. AFS refers to a different file system, White space isn’t the term used for hidden data streams, and Slack space relates to unused disk space, not additional data streams attached to a file.

More Multiple Choice Questions
Subscribe

Get the latest from Passetra

You can unsubscribe at any time. Read our privacy policy