> I think this just means adding a couple extra steps > to a typical investigation. Agreed. Making judgement calls regarding the type of case, and technical sophistication of the suspect can be a Very Bad Thing(tm). Including a scan for ADSs during a live investigation is an excellent idea, but only after the MAC times have been retrieved from the files. Also, having a means of performing signature analysis on arbitrary ADSs would be useful...though not conclusive if the suspect were really sophisticated and had taken steps to "protect" themselves. > Typically, when I am looking at a NT > or Win2K box that > has been owned it is in my workplan to check for > files hidden in ADSs. What tools do you use? I assume this is after making a bit image copy of the drive. Just out of curiousity, has anyone ever 'seen' an ADS with EnCase? Many forensics books (shout outs to Jay Heiser, Warren Kruse, and Eoghan Casey!!) use screen captures of EnCase to illustrate their points. "The Handbook of Computer Crime Investigations" has several such screen captures in Bob Sheldon's chapter on Windows forensics, showing what the Registry entries look like in EnCase 3.0. Does anyone have any screen captures of alternate data streams? > I also use alternate data streams a lot when doing > pen-tests as it is > great to hide all of my tools in the \temp\ > directory and either launch > them from the ADS or simply unhide them, use them, > then hide them again. Well, at least someone's using them! Benny and Ratter of 29A released a virus called W2K.Stream a bit ago that made use of ADSs. Not very effective use, but it still used them. So as of now, other than anything done by specific pen-testers, there doesn't seem to be much of a use for ADSs. MS, however, does use them in Explorer on 2K. You can create and view the contents of very specific ADSs on files through Explorer. So...once again...MS has a 'feature' that they don't advertise, no tools available to detect ADSs, and yet they use them in some very specific cases. > Perhaps Anti-Virus vendors need to incorporate the > ability to check for > ADSs during a scan -- would make life much easier. Yes, perhaps. I attended an ISS conference in Atlanta in March, '01. I stopped by the Trend Micro booth and asked the person there if their product took NTFS alternate data streams into account. She responded with, "yes, we have modules for Exchange." After I recovered from that one, I thanked her for her time... Perhaps if a major, high-profile case were found to make use of ADSs, then perhaps things would change. Fortunately for admins (and perhaps the A/V companies, as well) some of the viruses and worms that come out aren't very well written and the authors don't seem to use a lot of imagination when crafting them. Also, if the motivation of the author were to change from "I wanna be on CNN" to "I want to get in and out w/o anyone knowing I'm there", I think we'd see more ADSs and other sophisticated methods of data persistence. __________________________________________________ Do You Yahoo!? Find the one for you at Yahoo! Personals http://personals.yahoo.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Dec 06 2001 - 06:12:03 PST