< Back
Get-ForensicAlternateDataStream
Post
NAME Get-ForensicAlternateDataStream
SYNOPSIS
Gets the NTFS Alternate Data Streams on the specified volume.
SYNTAX
Get-ForensicAlternateDataStream [[-VolumeName] <String>] [<CommonParameters>]
Get-ForensicAlternateDataStream -Path <String> [<CommonParameters>]
DESCRIPTION
The Get-ForensicAlternateDataStream cmdlet parses the Master File Table and returns AlternateDataStream objects
for files that contain more than one $DATA attribute.
NTFS stores file contents in $DATA attributes. The file system allows a single file to maintain multiple $DATA
attributes. When a file has more than one $DATA attribute the additional attributes are referred to as "Alternate
Data
Streams".
PARAMETERS
-VolumeName [<String>]
Specifies the name of the volume or logical partition.
Enter the volume name in one of the following formats: \\\\.\\C:, C:, or C.
Required? false
Position? 0
Default value \\\\.\\C:
Accept pipeline input? false
Accept wildcard characters? false
-Path <String>
The path of a file that should be checked for alternate data streams.
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
None
OUTPUTS
PowerForensics.Artifacts.AlternateDataStream
-------------------------- EXAMPLE 1 --------------------------
[ADMIN]: PS C:\\>Get-ForensicAlternateDataStream
This example shows Get-ForensicAlternateDataStream getting all ADS on the C:\\ logical volume.
RELATED LINKS
SYNOPSIS
Gets the NTFS Alternate Data Streams on the specified volume.
SYNTAX
Get-ForensicAlternateDataStream [[-VolumeName] <String>] [<CommonParameters>]
Get-ForensicAlternateDataStream -Path <String> [<CommonParameters>]
DESCRIPTION
The Get-ForensicAlternateDataStream cmdlet parses the Master File Table and returns AlternateDataStream objects
for files that contain more than one $DATA attribute.
NTFS stores file contents in $DATA attributes. The file system allows a single file to maintain multiple $DATA
attributes. When a file has more than one $DATA attribute the additional attributes are referred to as "Alternate
Data
Streams".
PARAMETERS
-VolumeName [<String>]
Specifies the name of the volume or logical partition.
Enter the volume name in one of the following formats: \\\\.\\C:, C:, or C.
Required? false
Position? 0
Default value \\\\.\\C:
Accept pipeline input? false
Accept wildcard characters? false
-Path <String>
The path of a file that should be checked for alternate data streams.
Required? true
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
<CommonParameters>
This cmdlet supports the common parameters: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable, and OutVariable. For more information, see
about_CommonParameters (https:/go.microsoft.com/fwlink/?LinkID=113216).
INPUTS
None
OUTPUTS
PowerForensics.Artifacts.AlternateDataStream
-------------------------- EXAMPLE 1 --------------------------
[ADMIN]: PS C:\\>Get-ForensicAlternateDataStream
This example shows Get-ForensicAlternateDataStream getting all ADS on the C:\\ logical volume.
RELATED LINKS