Likewise, analysis of ADS is a standard process in all forensic examinations I perform. Although I don't rely on it, Encase does attempt to identify all ADS as standard too. It is important to have a forensic examination methodology that covers this kind of "hidden" data. Even if you don't find anything, you can at least counter the opposition argument that you have not carried out a thorough examination. shelly *********** REPLY SEPARATOR *********** On 05/12/2001 at 15:17 Steve wrote: >> Now, considering that there are at least 5 methods of >> running files from within ADSs on NTFS5 (only 1 >> documented method on NTFS4), how does this bode for >> the future of incident response and forensics? > >I think this just means adding a couple extra steps to a typical >investigation. Typically, when I am looking at a NT or Win2K box that >has been owned it is in my workplan to check for files hidden in ADSs. >For obvious reasons this isn't my first step, but it is a process I >perform on one of the multiple images taken of the owned system. > >I also use alternate data streams a lot when doing pen-tests as it is >great to hide all of my tools in the \temp\ directory and either launch >them from the ADS or simply unhide them, use them, then hide them again. > >Perhaps Anti-Virus vendors need to incorporate the ability to check for >ADSs during a scan -- would make life much easier. > > >----------------------------------------------------------------- >This list is provided by the SecurityFocus ARIS analyzer service. >For more information on this free incident handling, management >and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Dec 06 2001 - 06:10:50 PST