Alternate Data Stre...
 
Notifications
Clear all

Alternate Data Streams related cases

9 Posts
7 Users
0 Likes
421 Views
(@forenz)
Posts: 47
Eminent Member
Topic starter
 

Hi, i'm writing a paper on ADSes and was wondering if anyone could point me to documentation that contains details of cases that have involved these in the past - malware, stolen documents for example.

Any help here would be great, if you think of anything that is related to ADSes and you think might be relevant could you also let me know please.

Your help is appreciated, thanks.

 
Posted : 24/02/2009 6:26 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

"Windows Forensic Analysis" contains some of what you're looking for. Unfortunately, in most instances, the specific details of an examination or case are not made available to that level.

I'm sure that spending some time on Google would turn up some interesting information, as well.

 
Posted : 24/02/2009 7:42 pm
(@forenz)
Posts: 47
Eminent Member
Topic starter
 

I have "Windows Forensic Analysis" haha, i've already used that as a help. Thats what i thought but i also thought people on here might know better and also - why exactly can ADSes not be viewed in Windows XP? is the answer as simple as there being no native tools or is there a more in depth one? if there is i'd like to know.

Thanks for the reply

 
Posted : 25/02/2009 12:14 am
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

So, on pg 242 of WFA, the book states that there are no native tools (caveat this applies to Windows NT, 2000, XP and 2003…fig 5.11 on pg 244 illustrates how to do this on Vista) in Windows that allow you to view arbitrary ADSs.

If you can find a native tool on Windows NT through 2003 that can be used to locate and view arbitrary ADSs, please…I'm sure we'd all love to hear about it.

 
Posted : 25/02/2009 1:12 am
(@ronanmagee)
Posts: 145
Estimable Member
 

Theres a good article with an example of how it might be used … here

The LADS tool should also help you.

I believe ADS was first introduced to allow windows to be compatible with Macs.

Sysinternals tool called stream may also help.

Ronan

 
Posted : 25/02/2009 5:14 am
darren_q
(@darren_q)
Posts: 48
Eminent Member
 

ADSspy - http//www.bleepingcomputer.com/files/adsspy.php - is another good one

 
Posted : 25/02/2009 6:10 am
ecophobia
(@ecophobia)
Posts: 127
Estimable Member
 

I still have this page bookmarked http//www2.tech.purdue.edu/cit/Courses/cit556/readings/NTFSDarkside.pdf

One guy by the name H. Carvey did an excellent write up about ADS. The paper is quite old, so must be the guy who wrote the paper.
) Hello Harlan -)

SANS aalso got something about ADS.
http//sansforensics.wordpress.com/2009/02/09/the-trojan-solved-it-catching-a-fraudster-with-another-criminal-myspacceexe/

 
Posted : 25/02/2009 8:43 am
(@ivalen)
Posts: 30
Eminent Member
 

Hi, i'm writing a paper on ADSes and was wondering if anyone could point me to documentation that contains details of cases that have involved these in the past - malware, stolen documents for example.

Not going to reveal case specifics, but one malware case I worked involved the collection of data prior to archiving and exfiltration by using ADS. Each file to be exfiltrated was copied as an ADS to a single folder, those streams RAR'd, and the RAR transmitted out.

 
Posted : 25/02/2009 7:25 pm
 rohn
(@rohn)
Posts: 1
New Member
 

Although for the most part they don't answer your specific question, hear are links to some articles I've collected. Maybe you will find something useful in them or in the links they contain

Dissecting NTFS Hidden Streams

FAQ Alternate Data Streams in NTFS

Windows Security Threat -- NTFS Alternate Data Streams

Practical Guide to Alternative Data Streams in NTFS

Hidden Threat Alternate Data Streams

The Dark Side of NTFS (Microsoft’s Scarlet Letter)

Alternate Data Streams- Big Deal or Not?

Zone Identifier ADS's

Alternate Data Streams - What's hiding in your windows NTFS

HTH

 
Posted : 01/03/2009 2:54 pm
Share: