At 04:06 PM 8/30/2005, Hugh wrote: > > Still got only 2.5Gb free space out of 40 with > only 18Gb of real files....
Using NTFS ? -- then it "could" be... "ADS" !! (Could be a hacker running a root kit and server, full stealth...) to find out -- run this freeware: Stream Explorer v1.0.3 >> http://www.rekenwonder.com/streamexplorer.htm NTFS Steams - What you should know! >> http://www.auditmypc.com/freescan/readingroom/ntfsstreams.asp excerpt: " For example: You could have a small text file (hello.txt of say 1k in size) -- however, attached to it is an executable program that is 5 megs in size. When you do a directory listing (look for files on your pc), the system will show you a small 1k text file without revealing the 5 meg file. " FAQ: Alternate Data Streams in NTFS >> <http://web.archive.org/web/20041028083910/http://www.heysoft.de/Frames/f_faq_ads_en.htm> excerpt: "... They are totally hidden. You can have a file with 1 byte in the official main data stream and some hundred MB in one or more alternate data streams. What do you expect the dir command, file manager or explorer to show as the size of this file? It is 1 byte! " Hidden NTFS Alternate Data Streams (ADS) Explained - Are You At Risk? >> http://www.diamondcs.com.au/index.php?page=archive&id=ntfs-streams Hidden Threat: Alternate Data Streams >> http://www.windowsecurity.com/articles/Alternate_Data_Streams.html Detecting Alternate Data Streams >> http://www.windowsitpro.com/Article/ArticleID/16189/16189.html The Dark Side of NTFS >> <http://web.archive.org/web/20041130094122/http://patriot.net/~carvdawg/docs/dark_side.html> ADS, Alternate Data Streams - Out of the Shadows and into the Light - Ryan_Means_GCWN -- PDF >> <http://web.archive.org/web/20040727091507/http://www.giac.org/practical/GCWN/Ryan_Means_GCWN.pdf> ADS, Alternate Data Streams - Damon_Martin_GSEC - PDF >> <http://web.archive.org/web/20041108140131/http://www.giac.org/practical/gsec/Damon_Martin_GSEC.pdf> Windows NT File System Multiple Data Streams >> <http://web.archive.org/web/20000621050703/http://www.merxsoft.com/mersoft-Free/Information/ntfsmds.htm> What Forensic Analysts should know about NT Alternate Data Streams (ADS) >> http://www.maresware.com/maresware/articles/ads.htm Identify and Copy NTFS Alternate Data Streams >> http://www.maresware.com/maresware/html/copy_ads.htm http://www.maresware.com/maresware/ac.htm#COPYADS Stream Explorer v1.0.3 >> http://www.rekenwonder.com/streamexplorer.htm Streams v1.53 - August 15, 2005 >> http://www.sysinternals.com/Utilities/Streams.html http://www.sysinternals.com/Files/Streams.zip ADS Spy - Merijn.org >> http://216.180.233.162/~merijn/files/adsspy.zip --- -- ---------------------------------------- The WIN-HOME mailing list is powered by L-Soft's renowned LISTSERV(R) list management software. For more information, go to: http://www.lsoft.com/LISTSERV-powered.html
