Looking for Hidden ...
 
Notifications
Clear all

Looking for Hidden messages

14 Posts
5 Users
0 Reactions
13 K Views
Suomi
(@suomi)
Active Member
Joined: 21 years ago
Posts: 8
 

This is just a total shot in the dark here, but I think you may be looking at this the wrong way.

At a quick twenty second glance I dont think that this relates to any forensic program.. but rather a brain teaser.

Uhhhs!texu sintmd ce!e sx!ghodE nes hu riow!ho uhd!qhcture?

Maybe if you reorganize these letters in different patterns….

Basically, i agree with andy!

Best of luck!


   
ReplyQuote
keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
 

Andy,

ADS are just a ‘possibility’ and although I am not overly familiar with their intricacies, I do believe they survive being copied across a Windows (NTFS) LAN or from one hard drive to another as long as both file system are NTFS - so I wouldn't discount it without the full facts.

Not to belabor the point, but I just wanted to take the opportunity to clear up a possible misconception. For NTFS ADSs to "survive being copied across a Windows (NTFS) LAN", the method of copying is important. Copying or doing the old "drag and drop" via CIFS/SMB allows the ADS to survive. Using cp.exe from the RK will work, as well.

Other methods of copying…FTP or HTTP download for example, even between NTFS drives…will not preserve the ADS.

With regards to your final comment about full facts, I provided a link to a fairly comprehensive paper on the subject, and there is my book, as well.

Thanks,

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com


   
ReplyQuote
keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
 

With regards to the string of text, I think a Perl script that walks through the various rotational schemes would probably reveal something of interest…

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com


   
ReplyQuote
 Andy
(@andy)
Reputable Member
Joined: 21 years ago
Posts: 357
 

Harlan,

I meant the full facts from Juniper, regarding how he was presented with the files 😕 I think you have misunderstood the post…..

What I was trying to say was; for all we know he might have copied them from one NTFS volume to another, thus preserving the ADS. It's a long shot I know but when I mentioned ADS I was trying to be helpful and suggest ideas for the original request - "Any tips would be gratefully appreciated".

I think a Perl script that walks through the various rotational schemes would probably reveal something of interest…

Can you elaborate? I tried several Caesar cipher/rot type decryption tools, and it still appeared as cipher text.

Andy


   
ReplyQuote
Page 2 / 2
Share: