Re: Windows covert channel

[Rainer Gerhards <rgerhards () hq adiscon com>]

This is a well-known "issue" that was even part of the MCSE for NT 3.51
tutorial guides ;) Anyhow, it is still an issue, and the root cause for
others (like the IIS $$DATA information disclosure vulnerability). If
you google for it, you will also find tools to detect those alternate
data streams. There presence can be the indication for an attack ("can"
as in "may") ;)

Those of you doing forensics please keep in mind that ADS can be stored
in the MFT, only, if the amount of data is low enough so that it will
fit in the unallocated part of the 4k MFT entry.

Just my 2cts...
Rainer

On Tue, 2003-10-21 at 14:16, Wally Eaton wrote:
> James,
> You may be thinking of "Streams" in Windows files. Data can be hidden in secondary files on NTFS partitions. I 
> believe it was developed to be compatible with Apple/ MAC systems. In any case the following is an example:
>
> Run CMD
> On a NTFS partition
>
> D:\> echo Hello > FrontFile
> D:\> type FrontFile
> Hello
>
> D:\> echo Good Day >> FrontFile
> D:\> type FrontFile
> Hello
> Good Day
>
> D:\> echo Secret Info > FrontFile:BackFile
> D:\> type FrontFile
> Hello
> Good Day
>
> D:\> more < FrontFile:BackFile
> Secret Info
>
> Now add data to the FrontFile only
>
> D:\> echo Good Evening >> FrontFile
> D:\> type FrontFile
> Hello
> Good Day
> Good evening
>
> Now add data to the BackFile only
>
> D:\> echo More Secret Data >>FrontFile:BackFile
> D:\> more < FrontFile:BackFile
> Secret Info
> More Secret Data
>
> You will notice if you enter a DIR command that only the FrontFile will be displayed. Furthermore, the size of the 
> file will reflect only the content of the FrontFile.
> Have a great day.
> Wally 
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html