Tools examined streams.exe from SysInternals sfind.exe from FoundStone CrucialADS from CrucialSecurity lads.exe from HeySoft.de (Frank Heyne) Note: All tools were downloaded from the author's web sites on 5, 6, and 7 Dec, 2001. Testing platform is Win2K. Methodology Create a directory called 'c:\ads'. Create several ADSs within the directory, attached to both the directory listing as well as files. Do so using the 'type' command. Also, add an ADS to a file using Explorer...select the file, right-click on it, select Properties, and then Summary. Fill in arbitrary info, and save. All tools are located in c:\tools. Results ----------------------------------------------------- I started by running the command: c:\tools>lads c:\ads The result was: Scanning directory c:\ads\ size ADS in file ---------- --------------------------------- 50960 c:\ads\:np.exe 50960 c:\ads\:np3.exe 120 c:\ads\myfile.txt:?SummaryInformation 28 c:\ads\myfile.txt:hidden.txt 34064 c:\ads\myfile.txt:sol.exe 0 c:\ads\myfile.txt:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} 50960 c:\ads\myfile2.txt:np.exe 187092 bytes found in 7 alternate data streams The results of lads.exe show exactly what I've put in the test directory. I have 2 copies of Notepad.exe associated with the directory listing, a copy of Solitaire associated with a file, and various and other sundry ADSs. The two odd ADSs are a result of saving Summary information for myfile.txt via Windows Explorer. Next, I ran sfind.exe from FoundStone's ForensicToolkit: C:\tools>sfind c:\ads The results are as follows: Searching... c:\ads myfile2.txt:np.exe Size: 50960 Finished That's odd. So then I checked the syntax: C:\tools>sfind /? Seek and Destroy - Information Warfare SFind v1.2.2 - Copyright(c) 1998, Foundstone, Inc. Alternate Data Stream Finder Programming by JD Glaser - All Rights Reserved Usage - sfind [path] /ns [dirpath] Directory to search - none equals current -ns Skip sub-directories - or / Either switch statement can be used -? Help COMMAND PROMPT MUST HAVE A MINIMUM WIDTH OF 80 CHARACTERS Zechariah 12:9 - "I will seek to destroy all nations who oppose Jerusalem" See http://www.foundstone.com for updates/fixes Okay. So then I tried moving up a directory and running: C:\tools>sfind c:\ At this point, sfind.exe began checking the entire hard drive. While it did find some ADSs I'd put into another directory for a different test, it never reported finding the ADSs in c:\ads. Also, sfind.exe seemed to be stuck in a loop...it reported finding the ADSs in the other directory 3 times, and continued searching the same directories and files over and over again...I stopped the program with Ctrl-C after the third sweep. I followed that with one more test: C:\tools>sfind c:\ads\* Searching... Finished Ah...it didn't find the ADSs. On to the next tool...streams.exe from SysInternals: C:\tools>streams c:\ads This resulted in: Streams v1.3 - Enumerate alternate NTFS data streams Copyright (C) 1999-2001 Mark Russinovich Sysinternals - www.sysinternals.com c:\ads: :np.exe:$DATA 50960 :np3.exe:$DATA 50960 Okay, let's try another command: C:\tools>streams c:\ads\* This one resulted in: Streams v1.3 - Enumerate alternate NTFS data streams Copyright (C) 1999-2001 Mark Russinovich Sysinternals - www.sysinternals.com c:\ads\myfile.txt: :?SummaryInformation:$DATA 120 :hidden.txt:$DATA 28 :sol.exe:$DATA 34064 :{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA 0 c:\ads\myfile2.txt: :np.exe:$DATA 50960 Okay, so there are the ADSs associated with the file. For the syntax of the command, you have to go to http://www.sysinternals.com/ntw2k/source/misc.shtml#Streams and you'll see: Usage: streams [-s] <file or directory> -s Recurse subdirectories. Streams takes wildcards e.g. 'streams *.txt'. Finally, the last tool is CrucialADS. This tool is GUI based, and when it opens, your only choices are a drop-down box of available NTFS drives. The tool scanned quickly, and reported the ADSs it found (and it found all of them) in red text. Conclusion ------------------------------------------------------ lads.exe is by far the best tool available. B/c it's a CLI tool, it can be easily scripted, and the output can be piped across a socket (netcat) during a 'live' forensics investigation. While CrucialADS found the ADSs with as little user interaction as lads.exe, it's not nearly as flexible as lads.exe. __________________________________________________ Do You Yahoo!? Send your FREE holiday greetings online! http://greetings.yahoo.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Fri Dec 07 2001 - 09:39:13 PST