For example, finding a link file in a user's Desktop folder called my_lolitas.lnk, which points to a folder containing hundreds of pictures of minors in lewd or lascivious poses, would make it far more difficult for the user to claim he had no knowledge of the folder's existence. The mere presence of a link file can be significant because it may indicate that the user opened a particular file or folder. Windows places link files in various locations, including a user's Desktop, Start Menu, and Recent folders, as well as in application data areas and restore points. Users sometimes create these shortcuts intentionally for convenient access to particular items, but more often Windows creates link files automatically in an attempt to assist the user and speed up operations. LNK extension) are simply shortcuts, which point to another file or folder. Pittman, Dave Shaver, in Handbook of Digital Forensics and Investigation, 2010 Link Files In summary, Alternate Data Streams are commonly overlooked by investigators and therefore can be a nice hiding location for files. The drawback is by leaving this feature on may seriously slow your normal antivirus scans by as much as 10x, which is why many antivirus vendors leave it disabled by default.
#Hard disk serial number changer download software
If it is supported by your antivirus software you can enable this feature on an as-needed basis. If you’re performing forensics investigations, ensure your vendor provides this very important feature its antivirus suite. It also is important to note that most antivirus software packages by default do not scan Windows Alternate Data Streams for virus, trojans, and other malicious code. Once again, we can run a directory listing and we see no evidence of either of the Alternate Data Streams: