is there a LADS alternative for linux?

Sleuth kit?
http//www.sleuthkit.org/

Also
PTK forensics
http//ptk.dflabs.com/index.php

Source
http//mtesauro.com/livecd/index.php?title=Open_Source_Tools_Supplement

jaclaz

Sleuth kit?
http//www.sleuthkit.org/

Also
PTK forensics
http//ptk.dflabs.com/index.php

Source
http//mtesauro.com/livecd/index.php?title=Open_Source_Tools_Supplement

Thank you for your reply, it seems these tools can show us the content of a file with more than one data stream… but they don't provide a search engine to find those files as LADS does.

To see the content of a file with an ADS you can even use "more", the real problem is to locate that file.

I'll try to build some kind of script, it can't be that difficult! -P

–
Roberto

Sleuth kit?
http//www.sleuthkit.org/

Also
PTK forensics
http//ptk.dflabs.com/index.php

Source
http//mtesauro.com/livecd/index.php?title=Open_Source_Tools_Supplement

Thank you for your reply, it seems these tools can show us the content of a file with more than one data stream… but they don't provide a search engine to find those files as LADS does.

To see the content of a file with an ADS you can even use "more", the real problem is to locate that file.

I'll try to build some kind of script, it can't be that difficult! -P

–
Roberto

PTK does what you are looking for, but with the full version.

Thank you for your reply, it seems these tools can show us the content of a file with more than one data stream… but they don't provide a search engine to find those files as LADS does.
…
–
Roberto

Not sure what you mean by "search". The Sleuthkit provides a fine way to find ADS. The files are displayed with the ADS separated by a colon.

for example

root@caesar~# fls -o 59 ntfs_pract.dd.copy
r/r 4-128-4 $AttrDef
r/r 8-128-2 $BadClus
r/r 8-128-1 $BadClus$Bad
r/r 6-128-1 $Bitmap
...[removed for brevity]
d/d 56-144-6 Favorites
d/d 72-144-6 My Documents
r/r 138-128-3 NTUSER.DAT
r/r 137-128-3 SVstunts.avi
r/r 137-128-4 SVstunts.avihacktrap.txt
d/d 144 $OrphanFiles
Note the last file in the list (SVstunts.avi) contains an alternate datastream ("hacktrap.txt"). That command shows the contents of the root directory.

To do a recursive search, you might use something as simple as this

root@caesar~# fls -r -o 59 ntfs_pract.dd.copy | grep "\[a-zA-Z]"
++ r/r 128-128-4 Thumbs.dbencryptable
r/r 137-128-4 SVstunts.avihacktrap.txt

The above command finds ADS recursively, ASSUMING the file names begin with an upper or lowercase letter (in reality, that might not be the case, but this is for illustration - adjust the regex to suit).

Barry

Thank you very much for your post… it's a great help. I must admit I didn't explore the Sleuthkit. You've renewed my interest on it. Greetings.

SMART from ASR Data will also identify alternate data streams.

Cheers!

farmerdude

www.onlineforensictraining.com

www.forensicbootcd.com