Alternate Data Stre...
 
Notifications
Clear all

Alternate Data Streams related cases  

  RSS
forenz
(@forenz)
Junior Member

Hi, i'm writing a paper on ADSes and was wondering if anyone could point me to documentation that contains details of cases that have involved these in the past - malware, stolen documents for example.

Any help here would be great, if you think of anything that is related to ADSes and you think might be relevant could you also let me know please.

Your help is appreciated, thanks.

Quote
Posted : 24/02/2009 6:26 pm
keydet89
(@keydet89)
Community Legend

"Windows Forensic Analysis" contains some of what you're looking for. Unfortunately, in most instances, the specific details of an examination or case are not made available to that level.

I'm sure that spending some time on Google would turn up some interesting information, as well.

ReplyQuote
Posted : 24/02/2009 7:42 pm
forenz
(@forenz)
Junior Member

I have "Windows Forensic Analysis" haha, i've already used that as a help. Thats what i thought but i also thought people on here might know better and also - why exactly can ADSes not be viewed in Windows XP? is the answer as simple as there being no native tools or is there a more in depth one? if there is i'd like to know.

Thanks for the reply

ReplyQuote
Posted : 25/02/2009 12:14 am
keydet89
(@keydet89)
Community Legend

So, on pg 242 of WFA, the book states that there are no native tools (caveat this applies to Windows NT, 2000, XP and 2003…fig 5.11 on pg 244 illustrates how to do this on Vista) in Windows that allow you to view arbitrary ADSs.

If you can find a native tool on Windows NT through 2003 that can be used to locate and view arbitrary ADSs, please…I'm sure we'd all love to hear about it.

ReplyQuote
Posted : 25/02/2009 1:12 am
ronanmagee
(@ronanmagee)
Active Member

Theres a good article with an example of how it might be used … here

The LADS tool should also help you.

I believe ADS was first introduced to allow windows to be compatible with Macs.

Sysinternals tool called stream may also help.

Ronan

ReplyQuote
Posted : 25/02/2009 5:14 am
darren_q
(@darren_q)
Junior Member

ADSspy - http//www.bleepingcomputer.com/files/adsspy.php - is another good one

ReplyQuote
Posted : 25/02/2009 6:10 am
ecophobia
(@ecophobia)
Active Member

I still have this page bookmarked http//www2.tech.purdue.edu/cit/Courses/cit556/readings/NTFSDarkside.pdf

One guy by the name H. Carvey did an excellent write up about ADS. The paper is quite old, so must be the guy who wrote the paper.
) Hello Harlan -)

SANS aalso got something about ADS.
http//sansforensics.wordpress.com/2009/02/09/the-trojan-solved-it-catching-a-fraudster-with-another-criminal-myspacceexe/

ReplyQuote
Posted : 25/02/2009 8:43 am
Ivalen
(@ivalen)
Junior Member

Hi, i'm writing a paper on ADSes and was wondering if anyone could point me to documentation that contains details of cases that have involved these in the past - malware, stolen documents for example.

Not going to reveal case specifics, but one malware case I worked involved the collection of data prior to archiving and exfiltration by using ADS. Each file to be exfiltrated was copied as an ADS to a single folder, those streams RAR'd, and the RAR transmitted out.

ReplyQuote
Posted : 25/02/2009 7:25 pm
rohn
 rohn
(@rohn)
New Member
Share: