Vulnerability Development mailing list archives
RE: How to hide a file ?
From: "Oleg Kozitski" <oregu () gmx de>
Date: Tue, 8 Jan 2002 23:18:23 +0100
Hi, another tool for detecting ADSs: http://www.sysinternals.com/ntw2k/source/misc.shtml#Streams -oleg
Not to belabour the point, but I don't see a lot of NT/2K admins doing examinations of last modification times (or even last access times) during incident response. How does someone not necessarily familiar with or comfortable with working at the command prompt go about determining what is 'suspicious'? Or even via Explorer? After all, ADSs can be bound to only to files, but directory listings as well. Not to down-play your contribution, but I don't see the last modification time being a viable means of detecting ADSs at all. While we're on the topic, though, I'd like to point folks to the thread over in the Forensics list. I'm not sure if the archives are even kept around over there, but not too long ago...say, mid-Dec sometime, we had some posts on ADSs. One of the things I pointed out was that if you opened Windows Explorer, right-clicked on a file and chose 'Properties', 'Summary' (on NTFS drives) the data you put into the entries are stored as NTFS alternate data streams. I mention this b/c as more and more people become familiar w/ NTFS alternate data streams, you're going to see people screaming about being 'hacked', b/c a file as an ADS that starts w/ an unprintable ASCII character, followed by the word "Summary". Or, someone's going to start using that very name for their ADSs where they hide data! __________________________________________________ Do You Yahoo!? Send FREE video emails in Yahoo! Mail! http://promo.yahoo.com/videomail/
Current thread:
- Re: How to hide a file ?, (continued)
- Re: How to hide a file ? J. J. Horner (Jan 08)
- Re: How to hide a file ? H C (Jan 08)
- Re: How to hide a file ? J. J. Horner (Jan 08)
- Re: How to hide a file ? centipede (Jan 08)
- RE: How to hide a file ? Ed Moyle (Jan 08)
- RE: How to hide a file ? Altheide, Cory (Jan 08)
- RE: How to hide a file ? Bryan Allerdice (Jan 08)
- RE: How to hide a file ? H C (Jan 08)
- RE: How to hide a file ? Farahbakhshian, Mike (OD) (Jan 08)
- RE: How to hide a file ? Altheide, Cory (Jan 08)
- RE: How to hide a file ? H C (Jan 08)
- RE: How to hide a file ? Oleg Kozitski (Jan 08)
- Re: How to hide a file ? Ryan Permeh (Jan 08)
- Re: How to hide a file ? Ron DuFresne (Jan 08)
- Re: How to hide a file ? Blue Boar (Jan 09)
- RE: How to hide a file ? H C (Jan 08)
- RE: How to hide a file ? Mike Theriault (Jan 08)
- RE: How to hide a file ? Matthew LaGrange (Jan 08)
- RE: How to hide a file ? John Stauffacher (Jan 08)
- RE: How to hide a file ? H C (Jan 09)
- Re: How to hide a file ? J. J. Horner (Jan 09)
- Re: How to hide a file ? H C (Jan 09)
- Re: How to hide a file ? J. J. Horner (Jan 09)
- RE: How to hide a file ? John Stauffacher (Jan 08)