Cory,

> It's not an incredibly crucial issue, no, but if you
> create an ADS on, say,
> explorer.exe, it alters the modified date. When
> doing a cursory
> examiniation of the last modified files,
> explorer.exe would look fairly
> suspicious.

Not to belabour the point, but I don't see a lot of
NT/2K admins doing examinations of last modification
times (or even last access times) during incident
response. How does someone not necessarily familiar
with or comfortable with working at the command prompt
go about determining what is 'suspicious'? Or even
via Explorer? After all, ADSs can be bound to only to
files, but directory listings as well.

Not to down-play your contribution, but I don't see
the last modification time being a viable means of
detecting ADSs at all.

While we're on the topic, though, I'd like to point
folks to the thread over in the Forensics list. I'm
not sure if the archives are even kept around over
there, but not too long ago...say, mid-Dec sometime,
we had some posts on ADSs. One of the things I
pointed out was that if you opened Windows Explorer,
right-clicked on a file and chose 'Properties',
'Summary' (on NTFS drives) the data you put into the
entries are stored as NTFS alternate data streams.

I mention this b/c as more and more people become
familiar w/ NTFS alternate data streams, you're going
to see people screaming about being 'hacked', b/c a
file as an ADS that starts w/ an unprintable ASCII
character, followed by the word "Summary".

Or, someone's going to start using that very name for
their ADSs where they hide data!

__________________________________________________
Do You Yahoo!?
Send FREE video emails in Yahoo! Mail!
http://promo.yahoo.com/videomail/

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]