Vulnerability Development mailing list archives
RE: How to hide a file ?
From: "Altheide, Cory" <CAltheide () broadband att com>
Date: Tue, 8 Jan 2002 12:00:55 -0700
I understand what you're saying, and don't feel slighted at all. :) I probably didn't make it clear, but my intention was just to point out that if the original poster was going to use ADSs to hide his data, he may want to be aware that he is altering the modified time of the parent file, which could *possibly* arouse some suspicion. I don't think from an administrative mindset, so I can't say what an admin would look for. In a cursory investigation though, I personally would check MAC times very early on. Cory Altheide Internet Security Coordinator AT&T Broadband Legal Demands Center
-----Original Message----- From: H C [mailto:keydet89 () yahoo com] Sent: Tuesday, January 08, 2002 11:46 AM To: Altheide, Cory; vuln-dev () security-focus com Subject: RE: How to hide a file ? Cory,It's not an incredibly crucial issue, no, but if you create an ADS on, say, explorer.exe, it alters the modified date. When doing a cursory examiniation of the last modified files, explorer.exe would look fairly suspicious.Not to belabour the point, but I don't see a lot of NT/2K admins doing examinations of last modification times (or even last access times) during incident response. How does someone not necessarily familiar with or comfortable with working at the command prompt go about determining what is 'suspicious'? Or even via Explorer? After all, ADSs can be bound to only to files, but directory listings as well. Not to down-play your contribution, but I don't see the last modification time being a viable means of detecting ADSs at all.
Current thread:
- RE: How to hide a file ?, (continued)
- RE: How to hide a file ? H C (Jan 09)
- Re: How to hide a file ? J. J. Horner (Jan 09)
- Re: How to hide a file ? H C (Jan 09)
- Re: How to hide a file ? J. J. Horner (Jan 09)
- Re: How to hide a file ? H C (Jan 09)
- Re: How to hide a file ? J. J. Horner (Jan 09)
- Re: How to hide a file ? H C (Jan 09)
- Re: How to hide a file ? J. J. Horner (Jan 09)
- Re: How to hide a file ? H C (Jan 09)
- Re: How to hide a file ? Jon Zobrist (Jan 09)
- RE: How to hide a file ? Ken Pfeil (Jan 08)
- Re: How to hide a file ? bugtraq (Jan 08)
- Re: How to hide a file ? Blue Boar (Jan 09)