shakes wrote:
Is there an offset in any of the attribute headers, attributes, or MFT header that tells you if a file as an ADS?
You want the $DATA attribute(s) in the $MFT record. The nameless $DATA is the 'standard file contents' (there can be only one of these), while any named $DATA streams are what usually are refered to as ADSs .
You probably also want Brian Carrier's book 'File System Forensic Analysis'.
↧