Re: How to hide a file ?

["Ryan Permeh" <ryan () eEye com>]

just because some investigators/admins/IR teams might not notice the
evididence does not invalidate the fact that you COULD use it to notice
changes.  You are correct, in this case, this should be a forensics issue,
and the topic has strayed very far from "How can i hide a file" to "How can
i tell if there are hidden files".

ADS can obscure the presence of data, and it has it's downsides, ie the data
is not actually hidden, just not noticed by most common utilities, and it
alters filetimes.  If this serves the original purpose, great, but there are
a plethora of tools to "unhide" this information, but it does require
someone to know how to look for it.  This is obscurity through obscurity, as
it offers no distinct security advantage over a well trained intellegent
opponent.  It could be said that against a well trained, intellegent
opponent, no solution could "hide" data, as someone who is so inclined could
go raw sector by sector through the drive looking for information.  This may
not match the threat model, but it must be understood that this can (and
does) happen.


Signed,
Ryan Permeh
eEye Digital Security Team
http://www.eEye.com/Retina -Network Security Scanner
http://www.eEye.com/Iris -Network Traffic Analyzer
http://www.eEye.com/SecureIIS -Stop Known and Unknown IIS Vulnerabilities

----- Original Message -----
From: "H C" <keydet89 () yahoo com>
To: "Altheide, Cory" <CAltheide () broadband att com>;
<vuln-dev () security-focus com>
Sent: Tuesday, January 08, 2002 10:46 AM
Subject: RE: How to hide a file ?


> Cory,
>
> > It's not an incredibly crucial issue, no, but if you
> > create an ADS on, say,
> > explorer.exe, it alters the modified date.  When
> > doing a cursory
> > examiniation of the last modified files,
> > explorer.exe would look fairly
> > suspicious.
>
> Not to belabour the point, but I don't see a lot of
> NT/2K admins doing examinations of last modification
> times (or even last access times) during incident
> response.  How does someone not necessarily familiar
> with or comfortable with working at the command prompt
> go about determining what is 'suspicious'?  Or even
> via Explorer?  After all, ADSs can be bound to only to
> files, but directory listings as well.
>
> Not to down-play your contribution, but I don't see
> the last modification time being a viable means of
> detecting ADSs at all.
>
> While we're on the topic, though, I'd like to point
> folks to the thread over in the Forensics list.  I'm
> not sure if the archives are even kept around over
> there, but not too long ago...say, mid-Dec sometime,
> we had some posts on ADSs.  One of the things I
> pointed out was that if you opened Windows Explorer,
> right-clicked on a file and chose 'Properties',
> 'Summary' (on NTFS drives) the data you put into the
> entries are stored as NTFS alternate data streams.
>
> I mention this b/c as more and more people become
> familiar w/ NTFS alternate data streams, you're going
> to see people screaming about being 'hacked', b/c a
> file as an ADS that starts w/ an unprintable ASCII
> character, followed by the word "Summary".
>
> Or, someone's going to start using that very name for
> their ADSs where they hide data!
>
>
>
> __________________________________________________
> Do You Yahoo!?
> Send FREE video emails in Yahoo! Mail!
> http://promo.yahoo.com/videomail/