It's not an incredibly crucial issue, no, but if you create an ADS on, say,
explorer.exe, it alters the modified date. When doing a cursory
examiniation of the last modified files, explorer.exe would look fairly
suspicious.

Pagefile.sys, however, would not. ;)

Cory Altheide
Internet Security Coordinator
AT&T Broadband Legal Demands Center
 

> -----Original Message-----
> From: H C [mailto:keydet89yahoo.com]
> Sent: Tuesday, January 08, 2002 11:22 AM
> To: Altheide, Cory; vuln-devsecurity-focus.com
> Subject: RE: How to hide a file ?
>
>
> Cory,
>
> > Just a quick note on hiding using data streams...
> >
> > While the streams themselves are transparent,
> > creating an alternate data
> > stream does alter the modified date of the "parent"
> > file.
>
> You're correct, but I'm not sure where thats really
> even an issue.
>
> 'touch' utilities are trivial. In fact, I recently
> put a Perl script up on my site that shows
> programmatically how to do this via the Win32 API.
> Nothing new, of course, other than the fact that the
> script allows the user to change the creation date, as
> well as the last access and write times.
>
> However, I started a separate thread on this issue on
> the Forensics list, so I won't belabour it here...
>
>
> __________________________________________________
> Do You Yahoo!?
> Send FREE video emails in Yahoo! Mail!
> http://promo.yahoo.com/videomail/
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]