This is a well-known "issue" that was even part of the MCSE for NT 3.51
tutorial guides ;) Anyhow, it is still an issue, and the root cause for
others (like the IIS $$DATA information disclosure vulnerability). If
you google for it, you will also find tools to detect those alternate
data streams. There presence can be the indication for an attack ("can"
as in "may") ;)Those of you doing forensics please keep in mind that ADS can be stored in the MFT, only, if the amount of data is low enough so that it will fit in the unallocated part of the 4k MFT entry. Just my 2cts... Rainer On Tue, 2003-10-21 at 14:16, Wally Eaton wrote: > James, > You may be thinking of "Streams" in Windows files. Data can be hidden in secondary > files on NTFS partitions. I believe it was developed to be compatible with Apple/ > MAC systems. In any case the following is an example: > > Run CMD > On a NTFS partition > > D:\> echo Hello > FrontFile > D:\> type FrontFile > Hello > > D:\> echo Good Day >> FrontFile > D:\> type FrontFile > Hello > Good Day > > D:\> echo Secret Info > FrontFile:BackFile > D:\> type FrontFile > Hello > Good Day > > D:\> more < FrontFile:BackFile > Secret Info > > Now add data to the FrontFile only > > D:\> echo Good Evening >> FrontFile > D:\> type FrontFile > Hello > Good Day > Good evening > > Now add data to the BackFile only > > D:\> echo More Secret Data >>FrontFile:BackFile > D:\> more < FrontFile:BackFile > Secret Info > More Secret Data > > You will notice if you enter a DIR command that only the FrontFile will be > displayed. Furthermore, the size of the file will reflect only the content of the > FrontFile. > Have a great day. > Wally > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
