RE: How to hide a file ?

["Altheide, Cory" <CAltheide () broadband att com>]

It's not an incredibly crucial issue, no, but if you create an ADS on, say,
explorer.exe, it alters the modified date.  When doing a cursory
examiniation of the last modified files, explorer.exe would look fairly
suspicious.

Pagefile.sys, however, would not. ;)

Cory Altheide
Internet Security Coordinator
AT&T Broadband Legal Demands Center
 

> -----Original Message-----
> From: H C [mailto:keydet89 () yahoo com]
> Sent: Tuesday, January 08, 2002 11:22 AM
> To: Altheide, Cory; vuln-dev () security-focus com
> Subject: RE: How to hide a file ?
>
>
> Cory,
>
> > Just a quick note on hiding using data streams...
> >
> > While the streams themselves are transparent,
> > creating an alternate data
> > stream does alter the modified date of the "parent"
> > file.
>
> You're correct, but I'm not sure where thats really
> even an issue.  
>
> 'touch' utilities are trivial.  In fact, I recently
> put a Perl script up on my site that shows
> programmatically how to do this via the Win32 API. 
> Nothing new, of course, other than the fact that the
> script allows the user to change the creation date, as
> well as the last access and write times.
>
> However, I started a separate thread on this issue on
> the Forensics list, so I won't belabour it here...
>
>
> __________________________________________________
> Do You Yahoo!?
> Send FREE video emails in Yahoo! Mail!
> http://promo.yahoo.com/videomail/