Hi, i'm writing a paper on ADSes and was wondering if anyone could point me to documentation that contains details of cases that have involved these in the past - malware, stolen documents for example.
Any help here would be great, if you think of anything that is related to ADSes and you think might be relevant could you also let me know please.
Your help is appreciated, thanks.
"Windows Forensic Analysis" contains some of what you're looking for. Unfortunately, in most instances, the specific details of an examination or case are not made available to that level.
I'm sure that spending some time on Google would turn up some interesting information, as well.
I have "Windows Forensic Analysis" haha, i've already used that as a help. Thats what i thought but i also thought people on here might know better and also - why exactly can ADSes not be viewed in Windows XP? is the answer as simple as there being no native tools or is there a more in depth one? if there is i'd like to know.
Thanks for the reply
So, on pg 242 of WFA, the book states that there are no native tools (caveat this applies to Windows NT, 2000, XP and 2003…fig 5.11 on pg 244 illustrates how to do this on Vista) in Windows that allow you to view arbitrary ADSs.
If you can find a native tool on Windows NT through 2003 that can be used to locate and view arbitrary ADSs, please…I'm sure we'd all love to hear about it.
Theres a good article with an example of how it might be used …
The
I believe ADS was first introduced to allow windows to be compatible with Macs.
Sysinternals tool called
Ronan
ADSspy - http//
I still have this page bookmarked http//
One guy by the name H. Carvey did an excellent write up about ADS. The paper is quite old, so must be the guy who wrote the paper.
) Hello Harlan -)
SANS aalso got something about ADS.
http//
Hi, i'm writing a paper on ADSes and was wondering if anyone could point me to documentation that contains details of cases that have involved these in the past - malware, stolen documents for example.
Not going to reveal case specifics, but one malware case I worked involved the collection of data prior to archiving and exfiltration by using ADS. Each file to be exfiltrated was copied as an ADS to a single folder, those streams RAR'd, and the RAR transmitted out.
Although for the most part they don't answer your specific question, hear are links to some articles I've collected. Maybe you will find something useful in them or in the links they contain
Dissecting NTFS Hidden Streams
HTH