> Now, considering that there are at least 5 methods of > running files from within ADSs on NTFS5 (only 1 > documented method on NTFS4), how does this bode for > the future of incident response and forensics? I think this just means adding a couple extra steps to a typical investigation. Typically, when I am looking at a NT or Win2K box that has been owned it is in my workplan to check for files hidden in ADSs. For obvious reasons this isn't my first step, but it is a process I perform on one of the multiple images taken of the owned system. I also use alternate data streams a lot when doing pen-tests as it is great to hide all of my tools in the \temp\ directory and either launch them from the ADS or simply unhide them, use them, then hide them again. Perhaps Anti-Virus vendors need to incorporate the ability to check for ADSs during a scan -- would make life much easier. ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Dec 05 2001 - 18:48:21 PST