Question

1. What is an Alternate Data Stream?
2. How is time stomping performed?
3. What is the command to display an ADS from the command line?
4. How do you encrypt a file using the EFS feature of NTFS?
5. What is the byte range for in decimal for the first partition?
6. What number indicated that a partition is bootable?
7. What does LBA stand for and what does it do?
8. The Master Boot Record ends with what signature?

Please answer this question in an easy way?

Answer 1

1. Alternate Data Stream which is also termed as ADS is a program feature of Windows NTFS (New Technology File System).
It contains metadata that helps locating a specific file. It has compatibility support with all versions of Windows starting from Windows NT.
It is used to store file information such as attributes and temporary storage.

2.Time stomping is a technique that modifies the timestamps of a file like modify,access,create and change time of file.
This is often used to duplicate files with same attributes in a folder. Time stomping can be performed using various procedures like APT28,APT32, 3PARA RAT etc..

3. You can use Command dir /R to display an ADS from command line

4. Here's how you can encrypt file using EFS

• Launch File Explorer from StartMenu/Desktop/Taskbar.
• Right click the file or folder that has to be encrypted.
• Select Properties.
• Click Advanced.
• Check the checkbox next to encrypt contents to secure data.
• Click OK.
• Click apply.

5. The byte range of the First Partition(Boot Partition) is -
446 to 461 in decimal and 1BE to 1CD in hexadecimal

6. Hex numbers

7. LBA stands for Logical Block Addressing.It is common model scheme that helps in specifying the location of blocks of data stored on computer storage devices,generally secondary storage devices like hard disks. It provides a simple linear address space to the host which only needs to to provide the LBA address without knowing anything of the physical sector positions.

8. Disk Signatures