I understand what you're saying, and don't feel slighted at all. :)

I probably didn't make it clear, but my intention was just to point out that
if the original poster was going to use ADSs to hide his data, he may want
to be aware that he is altering the modified time of the parent file, which
could *possibly* arouse some suspicion.

I don't think from an administrative mindset, so I can't say what an admin
would look for. In a cursory investigation though, I personally would check
MAC times very early on.

Cory Altheide
Internet Security Coordinator
AT&T Broadband Legal Demands Center

> -----Original Message-----
> From: H C [mailto:keydet89yahoo.com]
> Sent: Tuesday, January 08, 2002 11:46 AM
> To: Altheide, Cory; vuln-devsecurity-focus.com
> Subject: RE: How to hide a file ?
>
>
> Cory,
>
> > It's not an incredibly crucial issue, no, but if you
> > create an ADS on, say,
> > explorer.exe, it alters the modified date. When
> > doing a cursory
> > examiniation of the last modified files,
> > explorer.exe would look fairly
> > suspicious.
>
> Not to belabour the point, but I don't see a lot of
> NT/2K admins doing examinations of last modification
> times (or even last access times) during incident
> response. How does someone not necessarily familiar
> with or comfortable with working at the command prompt
> go about determining what is 'suspicious'? Or even
> via Explorer? After all, ADSs can be bound to only to
> files, but directory listings as well.
>
> Not to down-play your contribution, but I don't see
> the last modification time being a viable means of
> detecting ADSs at all.
>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]