Champlain College · Computer & Digital Forensics Program

This page documents every tool used across the FOR-380 Anti-Forensics labs, including what each tool does, its use cases, and how it was specifically applied during lab work.

---

1. Forensic Imaging & Analysis
2. File System & NTFS Tools
3. Encryption & Volume Tools
4. Timestomping Tools
5. Steganography Tools
6. File Recovery Tools
7. Cryptography Tools
8. Windows Native Commands
9. Detection & Anti-Anti-Forensics Summary

---

Developer: Exterro (formerly AccessData)
Type: Forensic imaging and evidence analysis

FTK Imager is a free forensic imaging tool used to acquire, preview, and analyze digital evidence without altering it. It can create forensic images of drives and volumes, compute hashes, and browse file systems including deleted files, file slack, and alternate data streams.

Use cases:

• Creating E01 forensic images of VHD volumes
• Viewing file system contents including encrypted files
• Analyzing file slack space
• Inspecting MFT metadata and timestamps
• Browsing mounted VeraCrypt volumes
• Computing MD5 and SHA1 hashes for verification

Lab usage:

• Lab 5.4 (EA & Hidden Volumes): Used to examine encrypted VeraCrypt volumes before and after mounting. Before mounting, FTK reported volumes as unpartitioned space. After mounting via VeraCrypt, the NTFS structure became readable. FTK incorrectly reported both standard and hidden volumes as Encrypted: False at the file level.
• Lab 5.6 (EFS): Used to take a forensic image of a VHD, verify hash values (MD5: b48a89c606ce5348f739247f00c0bb50), and confirm that EFS-encrypted files could not be read while unencrypted files could.
• Lab 5.1 (NTFS Techniques): Used to add a logical drive as evidence and inspect file slack space after Slacker hid a message. The pic1.png.FileSlack file was visible in the file list with the hidden message readable in hex view.
• Lab 5.1 (NTFS Techniques): Used to collect pre- and post-tunnel MFT entries for readme.txt and cdf.jpg, confirming that file tunneling preserved MFT record numbers and timestamps.
• Important note from lab: FTK Imager must be closed before running Slacker restore operations or you will receive Error 32 (file lock conflict).

---

Type: Forensic imaging

A companion imaging tool used alongside FTK Imager for acquiring evidence. Referenced in lab tool lists across multiple labs.

Use cases:

• Acquiring disk and volume images for forensic analysis

---

Type: NTFS Master File Table viewer

MFT Browser allows investigators to extract and inspect the $MFT (Master File Table) from NTFS volumes. It displays all file attributes including $SIA (Standard Information Attribute), $FNA (File Name Attribute), $DATA, and $Logged_Utility_Stream.

Use cases:

• Viewing MFT record numbers for file tunneling analysis
• Comparing $SIA and $FNA timestamps to detect timestomping
• Identifying EFS encryption flags on $DATA attributes
• Locating $Logged_Utility_Stream ($EFS) metadata
• Reading resident file content directly from MFT entries

Lab usage:

• Lab 5.6 (EFS): Used to compare attributes of EncryptMe2.txt vs DontEncryptMe2.txt. Key findings: EncryptMe2.txt had $SIA File Type Flag 0x00004020 (EFS flag set), $DATA attribute flag 0x0040 (encrypted), non-resident $DATA, and a $Logged_Utility_Stream named $EFS containing 720 bytes of encryption metadata.
• Lab 5.6 (EFS): After encrypting EncryptMe3.txt with cipher, confirmed that the resident plaintext content was no longer visible; the file became non-resident with cluster information replacing readable data.
• Lab 5.1 (NTFS Techniques): Used to retrieve MFT record numbers for files before and after tunneling operations, confirming record number persistence.
• Lab 5.4 (EA & Hidden Volumes): Used to investigate the $EA attribute data injected into an image file using EaInject64.

---

Type: Low-level NTFS disk explorer

A tool for directly browsing NTFS structures on disk, including MFT records, SIA and FNA attributes, and raw cluster data. Used to visually confirm timestamp values at the file system level.

Use cases:

• Browsing MFT records to view $SIA and $FNA timestamps
• Verifying the effect of timestomping tools on both attribute sets
• Low-level disk inspection after forensic operations

Lab usage:

• Lab 5.2 (Timestomp Part 1): Used after running timestomp.exe and SetMACE to verify whether timestamp changes appeared in $SIA only or both $SIA and $FNA. Loaded newly created NTFS volumes and navigated to MFT to inspect blah.txt.
• Lab 5.3 (Timestomp Part 2): Used to confirm blending results after copying timestamps from DCode.exe to forensics.jpg, and to provide proof of suspicious timestamps (file modified before creation).

---

Type: Commercial forensic analysis platform

A professional digital forensics tool used for advanced file system analysis, evidence examination, and file carving.

Use cases:

• Examining formatted and corrupted volumes
• Recovering deleted files

Lab usage:

• Lab 5.5 (File System Recovery): Referenced as a recovery tool alongside PhotoRec for recovering files from formatted NTFS volumes.

---

Type: Automated forensic feature extraction

Scans disk images and files to extract features such as email addresses, URLs, and other artifacts without parsing the file system.

Use cases:

• Automated artifact extraction from disk images

Lab usage:

• Lab 5.5 (File System Recovery): Listed as a tool for the recovery and wiping lab.

---

Type: USN Journal parser

Parses the NTFS $UsnJrnl (Update Sequence Number Journal) and exports entries to CSV. The USN Journal records all file system change events and is a key artifact for detecting timestomping and file activity.

Use cases:

• Detecting file modifications that conflict with stomped timestamps
• Recovering a timeline of file system events

Lab usage:

• Lab 5.3 (Timestomp Part 2): Listed as a detection method. The USN Journal retains original change records that timestomping tools cannot retroactively modify.
• Lab 5.2 (Timestomp Part 1): Referenced alongside LogFileParser as a method to prove timestamp manipulation.

---

Type: NTFS $LogFile parser

Parses the NTFS $LogFile, which records transactional metadata about file system operations. Like the USN Journal, it captures timestamp data that is not modified by timestomping tools.

Use cases:

• Verifying original timestamps against stomped values
• Recovering forensic evidence of file system transactions

Lab usage:

• Lab 5.2 (Timestomp Part 1): Listed as a supporting tool for detecting timestamp manipulation.

---

Type: LNK file parser (by Eric Zimmerman)

Parses Windows shortcut (.lnk) files to extract metadata including Source Created and Target Created timestamps. LNK files are created automatically by Windows when files are opened and serve as an independent timestamp record.

Use cases:

• Detecting timestomping by comparing LNK timestamps against file timestamps
• Proving file access history independent of MFT manipulation

Lab usage:

• Lab 5.2 (Timestomp Part 1): Used to view LNK metadata for antiforensicsisfun.txt. After timestomping the creation timestamp forward by 4 hours and reopening the file, the Target Created timestamp in the LNK updated while Source Created remained unchanged, proving the discrepancy.

---

Type: EFS metadata inspection tool (SysInternals)

Displays EFS encryption information for files, including which users can decrypt them.

Use cases:

• Checking EFS encryption status and key owner information on files

Lab usage:

• Lab 5.6 (EFS): Listed as an additional tool for verifying EFS-encrypted files alongside the cipher command.

---

Part of: EATools
Type: NTFS Extended Attribute injector

Injects arbitrary data into the NTFS $EA (Extended Attributes) attribute of a file. The $EA attribute can hold up to 65,535 bytes of data and is not displayed by standard Windows tools, making it a viable data hiding location.

Use cases:

• Hiding files or text within the $EA attribute of another file
• Anti-forensic data concealment on NTFS volumes

Lab usage:

• Lab 5.4 (EA & Hidden Volumes): Used to hide a README.txt file inside an image file using the $EA attribute. A horror-themed image was chosen as the carrier file.

---

Part of: EATools
Type: NTFS Extended Attribute query tool

Queries and retrieves data stored in NTFS $EA attributes, allowing investigators to search for hidden data injected by EaInject64.

Use cases:

• Detecting and extracting data hidden within NTFS $EA attributes

Lab usage:

• Lab 5.4 (EA & Hidden Volumes): Used after EaInject64 to confirm and retrieve the hidden README.txt data from the $EA attribute of the image file.

---

Type: File slack space data hider

Hides data within the file slack space of files in a specified directory. File slack is the unused space between the end of a file's data and the end of its last allocated cluster. Slacker uses a metadata map file and optional password to store and retrieve hidden content.

Use cases:

• Hiding secret messages or files in file slack space
• Obfuscating hidden content using XOR keying (-k flag)
• Restoring hidden files from slack space

Lab usage:

• Lab 5.1 (NTFS Techniques): Used to hide msg.txt inside slack space of files in the pics directory, using map.jpg as the metadata map and anypass as the password. The message "I am the Secret Message you are looking for" was successfully recovered. Max hideable data for pic1.png was 3,534 bytes (Physical Size 1,040,384 minus File Size 1,036,850).

Key commands:

Hide (no obfuscation):
  slacker.exe -s Z:\msg.txt z:\pics 1 z:\map.jpg anypass -d -n
Hide (with XOR obfuscation):
slacker.exe -s D:\msg.txt d:\pics 1 d:\map.jpg anypass -d -k
Restore:
slacker.exe -r z:\map.jpg anypass -o z:\restoredmsg.txt

Important note: Windows Defender may flag Slacker as malware and must be disabled. FTK Imager must also be closed before restoring or Error 32 (file lock) will occur.

---

Type: MFT to CSV exporter

Exports MFT records to CSV format for bulk analysis of timestamps, file attributes, and record numbers.

Use cases:

• Bulk MFT analysis for timestamp anomaly detection

Lab usage:

• Lab 5.2 (Timestomp Part 1): Listed as a supporting analysis tool.

---

Type: Windows built-in EFS command-line tool

A native Windows command for encrypting and decrypting files using EFS. Because it is a built-in Windows tool, it is considered a LOLBin (Living Off the Land Binary) that may not trigger security alerts.

Use cases:

• Encrypting individual files or directories with EFS
• Decrypting EFS-encrypted files

Key commands:

cipher /e EncryptMe1.txt       (encrypt file only)
cipher /e /s:Secure            (encrypt directory)
cipher /d EncryptMe1.txt       (decrypt)

Lab usage:

• Lab 5.6 (EFS): Used to encrypt files from the command line as an alternative to the GUI method.

---

Type: Windows built-in file system utility

A native Windows command-line tool for managing file system features including the USN Journal.

Key commands:

fsutil usn queryjournal C:
fsutil usn deletejournal /D C:
fsutil usn createjournal C: m=10000 a=100

Lab usage:

• Lab 5.2 (Timestomp Part 1): Used to manage the USN Journal before timestomping experiments to establish a clean forensic baseline.

---

Type: Open-source disk encryption software

VeraCrypt creates encrypted virtual disk containers that appear as regular files when not mounted. It supports hidden volumes within standard volumes to provide plausible deniability: two different passwords open two different volumes stored in the same container file.

Use cases:

• Creating password-protected encrypted volumes
• Creating hidden volumes inside standard encrypted volumes for plausible deniability
• Concealing the existence of sensitive data

Lab usage:

• Lab 5.4 Deliverable 2: Created a 100MB encrypted volume with password PassW0rd. Before mounting, FTK reported it as unpartitioned space. After mounting, a readable NTFS volume was visible.
• Lab 5.4 Deliverable 3: Created a 200MB hidden volume using two passwords. The hidden volume password was LLAMA802. Files were added to both volumes to generate LNK and Prefetch artifacts.

Key forensic findings:

• VeraCrypt volumes have no identifiable file signatures; randomized data prevents identification by header analysis.
• Primary detection method: entropy analysis. A VeraCrypt volume shows entropy of approximately 7.9999998 (near maximum).
• Registry artifacts confirming VeraCrypt use: VeraCrypt.sys driver loaded, VeraCrypt.exe executed, VeraCrypt.lnk shortcut created.
• A hidden volume can be detected by finding two GUID mount points with different access timestamps on the same container file.

---

Type: $SIA timestamp manipulation tool

Modifies timestamps stored in the NTFS $SIA (Standard Information Attribute) of a file. Windows Explorer and most basic forensic tools display $SIA timestamps, making this a common anti-forensic technique.

Use cases:

• Backdating or future-dating file timestamps to mislead investigators
• Viewing current MAC timestamps on a file
• Copying timestamps between files

Key commands:

timestomp.exe blah.txt -v
  (view current timestamps)
timestomp.exe blah.txt -m "Friday 1/1/2222 1:11:11 AM"
(set modification time to future date)
timestomp.exe forensics.jpg -f DCode.exe
(copy all timestamps from DCode.exe to forensics.jpg)
timestomp.exe antiforensicsisfun.txt -c "Tuesday 10/17/2026 3:11:11 PM"
(set creation time forward by 4 hours)

Lab usage:

• Lab 5.2 (Timestomp Part 1): Used to set modification timestamp of blah.txt to year 2222 and to copy timestamps from DCode.exe to forensics.jpg.
• Detection note: Timestomp only modifies $SIA. The $FNA timestamps remain unchanged, creating a detectable mismatch between the two attribute sets.
• Note: Windows Defender classifies this tool as malware.

---

Type: $SIA and $FNA timestamp manipulation tool

Unlike Timestomp, SetMACE can modify timestamps in both the $SIA and $FNA attributes independently or simultaneously. It must be run from a different volume than the target file.

Use cases:

• Modifying $SIA timestamps only (-si)
• Modifying $FNA timestamps only (-fn)
• Modifying both $SIA and $FNA simultaneously (-x)

Key commands:

setmace64.exe E:\file.txt -c "2000:01:01:00:00:00:789:1234" -si
  (change creation time in $SIA only)
setmace64.exe E:\file.txt -c "2000:01:01:00:00:00:789:1234" -fn
(change creation time in $FNA only)
setmace64.exe E:\file.txt -c "2000:01:01:00:00:00:789:1234" -x
(change creation time in both $SIA and $FNA)

Lab usage:

• Lab 5.3 (Timestomp Part 2): Used to test independent changes to $SIA and $FNA. When -si was used, Windows also updated $FNA because it detected the file had changed (timestamps rolled back by approximately 3 minutes).

---

Type: Multi-attribute timestamp manipulation tool

Allows modification of all four MACE timestamp fields (Modified, Accessed, Created, Entry Modified) simultaneously. $FNA can be updated by moving the file after stomping.

Key command:

nTimestomp_v1.2_x64.exe -F "C:\path\test1.txt" -M "2222-10-10 10:10:10.1234567" -A "2222-10-10 10:10:10.1234567" -C "2222-10-10 10:10:10.1234567" -B "2222-10-10 10:10:10.1234567"

Lab usage:

• Lab 5.3 (Timestomp Part 2): Used to set all timestamps on test1.txt to 2222/10/10 10:10:10. After moving the file, $FNA updated and the $SIA MFT modification time changed to the current date, creating a detectable discrepancy. The provided command in the lab was broken and required lowercase characters and a day-of-month format fix.

---

Type: GUI-based timestamp modification tool

A graphical tool for changing file timestamps with three modes: Older (set date in past), Younger (set date in future), and Filename to Time (reads a date pattern embedded in the filename and sets that as the timestamp).

Lab usage:

• Lab 5.3 (Timestomp Part 2): Confirmed that NewFileTime only modifies $SIA timestamps, not $FNA. All three options (Older, Younger, Filename to Time) were tested. The tool's download page required extra searching to locate.

---

Type: GUI steganography tool (image)

A graphical application for hiding and extracting text messages inside image files. Supports optional password protection.

Lab usage:

• Lab 3.2 (Steganography Tools): Both lab partners used SilentEye to encode and decode messages in images. Messages hidden included "Hello World, My name is carl" and "Hello There". Decoding was performed by dragging the image into SilentEye and selecting Decode.

---

Type: GUI steganography tool (image)

A simple graphical tool for hiding text inside images. Automatically decodes messages upon loading a steganographic image.

Lab usage:

• Lab 3.2 (Steganography Tools): Messages hidden included "Hello my Fellow llamas. I like bowties" and "Hello". Extraction was done by opening the image and clicking Get Text. The original installation link was non-functional and an alternate source was required.

---

Type: Command-line and GUI steganography tool (JPEG/WAV)

Steghide embeds data in JPEG and WAV files. Supports password-protected embedding and extraction. Steghide UI provides a graphical wrapper.

Key commands:

Embed:
  .\steghide.exe embed -ef <secret file> -cf <audio file> -sf <output file>
Extract:
.\steghide.exe extract -sf <audio file with message> -xf <output file>

Lab usage:

• Lab 3.2 (Steganography Tools): Steghide UI crashed repeatedly even when run as administrator. CLI Steghide was used successfully, hiding "hi there" in a JPEG.
• Lab 3.4 (Steganography in Audio): Used via command line to embed text files into WAV audio files and extract them. Note: the tool does not support hiding multiple text files in a single operation.

---

Type: Python steganography library

Implements LSB (Least Significant Bit) steganography in images and can hide images inside other images.

Key commands:

pip3 install stegano
stegano-lsb hide -i input.png -m "Secret Message" -e UTF-32LE -o output.png
stegano-lsb reveal -i output.png -e UTF-32LE
stegano-lsb hide -i input.png -f secret_image.jpg -o output2.png
stegano-lsb reveal -i output2.png -o secret_image_output.jpeg

Lab usage:

• Lab 3.2 (Steganography Tools): Used to hide text and an image inside PNG files. Visual comparison showed no perceptible difference between input and output when using LSB. If stegano-lsb is not found after install, the Scripts directory must be added to the system PATH via Environment Variables.

---

Type: Whitespace steganography tool

Hides messages inside text files by appending whitespace characters (tabs and spaces) at line ends. Tabs represent binary 1 and spaces represent binary 0. Hidden data is invisible in standard text editors and web browsers.

Lab usage:

• Lab 3.4 (Steganography in Audio): Used to create a text file with a hidden whitespace-encoded message for embedding in an audio carrier.

---

Type: Web-based linguistic steganography tool

Encodes a short message as a lengthy spam-style email. Two variants: standard whitespace/tab encoding and Cyrillic character substitution (more resistant to automated scanning).

Lab usage:

• Lab 3.2 (Steganography Tools): Used to encode the message "Have you ever listened to Pepper Steak?" as a multi-paragraph spam email and email it to a lab partner for decoding. A second variant used Cyrillic substitution to further disguise the encoded output.

---

Type: Command-line video/audio downloader

Downloads video and audio from YouTube and other platforms. Used to obtain source audio files for steganographic embedding.

Key command:

.\yt-dlp.exe https://youtu.be/oJOaMkVapcg

Lab usage:

• Lab 3.4 (Steganography in Audio): Used to download bbcooper - cant let it drop as the carrier audio file before conversion to WAV.

---

Type: Online file conversion service

A web-based file converter used to convert MP4 video files to WAV audio format, since Steghide requires WAV for audio steganography.

Lab usage:

• Lab 3.4 (Steganography in Audio): Used to convert the downloaded MP4 to WAV. Resulting file SHA256: 85fb9956e45b46adc371283529ae81b1cf2345cbe301120f85cdf53937b0467c, MD5: db6cccbf921f2aadd256f9e94c18fb71.

---

Type: Open-source file carving and recovery tool

Recovers files based on file signatures (magic bytes) rather than file system metadata, allowing recovery even after formatting.

Lab usage:

• Lab 5.5 (File System Recovery): Used via photorec_win.exe to recover files from formatted NTFS volumes. Successfully recovered 3 files from the evidence volume.

---

Type: Commercial file recovery tool

A GUI-based application for scanning drives for deleted and wiped files.

Lab usage:

• Lab 5.5 (File System Recovery): Used to enumerate file names from wiped volumes. Successfully identified deleted folders: RecycleBin, Docs, EXE, Photos, and S-1-5-21-X (user SID folder). The free version required a paid upgrade to view recovered file content.

---

Type: Open-source cryptography education and analysis platform

A visual, workflow-based cryptography tool. Users build workspaces by connecting tiles representing encryption, decryption, encoding, and analysis operations.

Use cases:

• Encrypting and decrypting Caesar cipher text
• Breaking Caesar ciphers via character frequency analysis (no key required)
• AES encryption and decryption of plaintext and files
• AES key brute-forcing via KeySearcher (last N bytes)
• Monoalphabetic substitution cipher analysis

Lab usage:

• Lab 4.3 (CrypTool) Deliverable 1: Decrypted Znoy oy jkrobkxghrk 1. Ckrr vrgekj with Caesar key 6, yielding "THIS IS DELIVERABLE 1. WELL PLAYED".
• Deliverable 2: Used the Caesar Analysis using Character Frequencies template to break a cipher without knowing the key. Found key 7, plaintext: "Wow, you decrypted me that quickly?"
• Deliverable 3: Built an AES encrypt/decrypt workspace with plaintext input and hexadecimal ciphertext output.
• Deliverable 4: Used AES Cipher (text input) template in ECB mode, then entered first 13 bytes of the key into KeySearcher to brute-force the remaining 3 bytes.
• Deliverable 5: Encrypted and decrypted a JPG image file using AES within CrypTool.
• Deliverable 6: Analyzed a real intercepted cipher from the 2004 Carlie Brucia murder case (Joseph Smith). Used a monoalphabetic substitution analyzer with a reverse string operation to decode a handwritten encrypted message sent from prison, revealing Smith's confession about disposing of evidence.

---

Standard Windows shell commands used for creating files, file tunneling, hiding data in ADS, and reading file contents.

Key usages:

echo "text" > file.txt
  (create a text file)
del file.txt && echo new content > file.txt
(file tunneling: delete and recreate in one chained command to inherit MFT record)
echo secret > file.txt:hidden.txt
(write data to an Alternate Data Stream)
type source.exe > file.txt:hidden.exe
(copy a binary file into an ADS)
more < file.txt:hidden.txt
(read ADS content)

---

List directory contents with varying levels of detail.

dir /a    (show all files including hidden)
dir /r    (show ADS streams alongside regular files)

Lab usage: In the ADS lab, dir /a showed no evidence of the hidden stream but dir /r revealed file1.txt:hidden.txt:$DATA, confirming the presence of an Alternate Data Stream.

---

Creates symbolic links. Used in the ADS lab to create a symlink pointing to an executable hidden inside an ADS, enabling it to be launched on modern Windows versions.

mklink runme.exe file2.txt:DCode.exe
start runme.exe

Lab usage: Successfully launched DCode.exe hidden inside the ADS of file2.txt. The wmic method for the same purpose failed as wmic was not recognized on the lab system.

---

Used to directly open and read Alternate Data Stream content.

notepad file1.txt:hidden.txt

---

Used to compute SHA256 and MD5 hashes of files.

Get-FileHash -Algorithm SHA256 .\audio.wav
Get-FileHash -Algorithm MD5 .\audio.wav

Lab usage:

• Lab 3.4 (Steganography in Audio): Used to hash WAV files before and after steganographic embedding to document file integrity.

---

1. $SIA vs $FNA mismatch: If Standard Information Attribute and File Name Attribute timestamps differ, tampering is likely. Timestomp and NewFileTime only modify $SIA.
2. Impossible timestamps: Modification time predating creation time, or dates far in the future (e.g. year 2222), are obvious indicators.
3. MFT entry number vs timestamp plausibility: MFT entries are assigned sequentially. A very low entry number with a recent timestamp or vice versa is suspicious.
4. $LogFile and $UsnJrnl: These records contain original timestamps and file change events that timestomping tools cannot retroactively alter.
5. LNK files (LECmd): Windows auto-generates LNK files when files are opened. Comparing LNK Target Created timestamps against the file's current $SIA Created timestamp reveals discrepancies.
6. Prefetch files: If timestomp.exe was run locally, a prefetch entry for it will exist on the system.
7. Registry and event logs: Process execution records and metadata overwrites may be preserved here.

1. Entropy analysis: A VeraCrypt volume shows entropy near 8.0. The lab measured approximately 7.9999998.
2. Registry artifacts: Presence of VeraCrypt.sys, VeraCrypt.exe, and VeraCrypt.lnk confirms VeraCrypt was installed and used.
3. No file signature: VeraCrypt intentionally avoids signatures. Header inspection will not identify the container.
4. Hidden volume detection: Look for two GUID mount points referencing the same container file with different access timestamps, indicating both the outer and hidden volumes were mounted at different times.

1. $SIA File Type Flag: EFS-encrypted files have flag 0x00004020 (the 0x4000 bit indicates EFS encryption).
2. $DATA Attribute Flag: The $DATA stream has flag 0x0040 when content is EFS-encrypted.
3. $Logged_Utility_Stream ($EFS): Presence of this stream confirms EFS encryption. It stores encryption key blobs and user SIDs required for decryption. In the lab, this stream was 720 bytes and allocated one cluster (4096 bytes) with 3,376 bytes of slack.
4. FTK Imager: EFS-encrypted files are visible in the directory tree but their content cannot be read from a forensic image without the correct private key.

1. dir /r in Command Prompt lists ADS entries alongside regular files.
2. FTK Imager and similar forensic tools expose ADS streams in their file listings.
3. MFT Browser shows additional $DATA attributes (non-default stream names) within MFT records.

1. EaQuery64.exe can query a file for $EA attribute content.
2. MFT Browser will show the $EA attribute on any file that has extended attribute data attached.
3. The $EA attribute is limited to 65,535 bytes total per file.

---

FOR-380 Anti-Forensics — Champlain College · Computer & Digital Forensics Program