Tools examined
streams.exe from SysInternals
sfind.exe from FoundStone
CrucialADS from CrucialSecurity
lads.exe from HeySoft.de (Frank Heyne)
Note: All tools were downloaded from the author's web
sites on 5, 6, and 7 Dec, 2001.
Testing platform is Win2K.
Methodology
Create a directory called 'c:\ads'. Create several
ADSs within the directory, attached to both the
directory listing as well as files. Do so using the
'type' command. Also, add an ADS to a file using
Explorer...select the file, right-click on it, select
Properties, and then Summary. Fill in arbitrary info,
and save.
All tools are located in c:\tools.
Results
-----------------------------------------------------
I started by running the command:
c:\tools>lads c:\ads
The result was:
Scanning directory c:\ads\
size ADS in file
---------- ---------------------------------
50960 c:\ads\:np.exe
50960 c:\ads\:np3.exe
120 c:\ads\myfile.txt:?SummaryInformation
28 c:\ads\myfile.txt:hidden.txt
34064 c:\ads\myfile.txt:sol.exe
0
c:\ads\myfile.txt:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
50960 c:\ads\myfile2.txt:np.exe
187092 bytes found in 7 alternate data streams
The results of lads.exe show exactly what I've put in
the test directory. I have 2 copies of Notepad.exe
associated with the directory listing, a copy of
Solitaire associated with a file, and various and
other sundry ADSs. The two odd ADSs are a result of
saving Summary information for myfile.txt via Windows
Explorer.
Next, I ran sfind.exe from FoundStone's
ForensicToolkit:
C:\tools>sfind c:\ads
The results are as follows:
Searching...
c:\ads
myfile2.txt:np.exe Size: 50960
Finished
That's odd. So then I checked the syntax:
C:\tools>sfind /?
Seek and Destroy - Information Warfare
SFind v1.2.2 - Copyright(c) 1998, Foundstone, Inc.
Alternate Data Stream Finder
Programming by JD Glaser - All Rights Reserved
Usage - sfind [path] /ns
[dirpath] Directory to search - none
equals current
-ns Skip sub-directories
- or / Either switch statement can be
used
-? Help
COMMAND PROMPT MUST HAVE A MINIMUM WIDTH OF 80
CHARACTERS
Zechariah 12:9 - "I will seek to destroy all nations
who oppose Jerusalem"
See http://www.foundstone.com for updates/fixes
Okay. So then I tried moving up a directory and
running:
C:\tools>sfind c:\
At this point, sfind.exe began checking the entire
hard drive. While it did find some ADSs I'd put into
another directory for a different test, it never
reported finding the ADSs in c:\ads. Also, sfind.exe
seemed to be stuck in a loop...it reported finding the
ADSs in the other directory 3 times, and continued
searching the same directories and files over and over
again...I stopped the program with Ctrl-C after the
third sweep.
I followed that with one more test:
C:\tools>sfind c:\ads\*
Searching...
Finished
Ah...it didn't find the ADSs. On to the next
tool...streams.exe from SysInternals:
C:\tools>streams c:\ads
This resulted in:
Streams v1.3 - Enumerate alternate NTFS data streams
Copyright (C) 1999-2001 Mark Russinovich
Sysinternals - www.sysinternals.com
c:\ads:
:np.exe:$DATA 50960
:np3.exe:$DATA 50960
Okay, let's try another command:
C:\tools>streams c:\ads\*
This one resulted in:
Streams v1.3 - Enumerate alternate NTFS data streams
Copyright (C) 1999-2001 Mark Russinovich
Sysinternals - www.sysinternals.com
c:\ads\myfile.txt:
:?SummaryInformation:$DATA 120
:hidden.txt:$DATA 28
:sol.exe:$DATA 34064
:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA
0
c:\ads\myfile2.txt:
:np.exe:$DATA 50960
Okay, so there are the ADSs associated with the file.
For the syntax of the command, you have to go to
http://www.sysinternals.com/ntw2k/source/misc.shtml#Streams
and you'll see:
Usage: streams [-s] <file or directory>
-s Recurse subdirectories.
Streams takes wildcards e.g. 'streams *.txt'.
Finally, the last tool is CrucialADS. This tool is
GUI based, and when it opens, your only choices are a
drop-down box of available NTFS drives. The tool
scanned quickly, and reported the ADSs it found (and
it found all of them) in red text.
Conclusion
------------------------------------------------------
lads.exe is by far the best tool available. B/c it's
a CLI tool, it can be easily scripted, and the output
can be piped across a socket (netcat) during a 'live'
forensics investigation. While CrucialADS found the
ADSs with as little user interaction as lads.exe, it's
not nearly as flexible as lads.exe.
__________________________________________________
Do You Yahoo!?
Send your FREE holiday greetings online!
http://greetings.yahoo.com
-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Dec 07 2001 - 09:39:13 PST