Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NTBugtraq> 1998

NTFS Alternate Data Streams

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

NTFS Alternate Data Streams

To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
Subject: NTFS Alternate Data Streams
From: Charles White <charliewmarch.co.uk>
Date: Thu, 19 Mar 1998 12:09:13 +0000
Reply-To: c.whitemarch.co.uk
Sender: Windows NT BugTraq Mailing List <NTBUGTRAQLISTSERV.NTBUGTRAQ.COM>

NTFS Alternate Data Streams
---------------------------

The existence of NTFS Alternate Data Streams and their potential for
misuse has recently been publicised in various NT related newsgroups and
mailing lists.  These streams can be used to hide the existence of data of
any size and type (eg confidential data, pornographic images, etc) which
may be damaging to your organization.

Legitimate uses of streams have also been included in recent editions of
some UK PC magazines.

The current problem with streams is that many Windows NT users (including
administrators) are not aware that streams exist and even if they know of
them have no simply method of detecting them. Microsoft does not provide
tools for reporting what streams exist !

MARCH Information Systems has developed a command line utility which
solves the problem of hidden data by checking a machine for the
existence of non-default streams (a 'data' and 'security descriptor'
stream exists on every NTFS file and directory).  The utility searches an
NTFS disc locating and reporting the size and, more importantly, the name
of every alternate data stream detected.  If desired it will even report
the sizes of the standard streams.

The FREE utility, together with a paper giving further details of the
threats posed by streams, can be download from

        http://www.march.co.uk

Regards,

Charles White                           |  Tel:   +44 (0)118 930 4224
March Information Systems Ltd.,         |  Fax:   +44 (0)118 930 5802
14 Brewery Court, High Street, Theale,  |
Berkshire, England, RG7 5AJ             |  Email: c.whitemarch.co.uk
 <Security Manager & EventLog Manager - NT & UNIX Security solutions>

Prev by Date: legitimate use of recursive document loading into IE4
Next by Date: FW: Your message to NTBUGTRAQ
Prev by thread: Re: legitimate use of recursive document loading into IE4
Next by thread: FW: Your message to NTBUGTRAQ
Index(es):
- Date
- Thread