MFT Alternate Data Streams

[IppSec]

It doesn't look like the MFT Dump outputs Alternate Data Streams, which can be useful to identify files that came from the internet. If we extracted the Resident Files #190 they would appear there, but I believe the ADS should also appear as files in the dump command.

It does look like the entry has an "HasAlternateDataStreams", just doesn't list the names.

[FranticTyping]

Completely agree with you, it would be useful to get this added. I had a quick look and it seems like the underlying library doesn't show the ADS when exporting to CSV format. We'll either need to look at getting this added to the library, or figure out a way to parse it out on the chainsaw side.

I need to think about how we should do this cleanly.

[FranticTyping]

Just updating this thread. I have a locally working solution, I'm just cleaning it up and doing some testing.

[FranticTyping]

@IppSec - The requested features should be available in the latest version of Chainsaw (v2.11.0). You can read about the features here #210

I'll close this issue now, but please let me know if there are additional changes you need!