±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36632
New Yesterday: 3 Visitors: 153

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Alternate Data Streams related cases

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

forenz
Member
 

Alternate Data Streams related cases

Post Posted: Feb 24, 09 18:26

Hi, i'm writing a paper on ADSes and was wondering if anyone could point me to documentation that contains details of cases that have involved these in the past - malware, stolen documents for example.

Any help here would be great, if you think of anything that is related to ADSes and you think might be relevant could you also let me know please.

Your help is appreciated, thanks.  
 
  

keydet89
Senior Member
 

Re: Alternate Data Streams related cases

Post Posted: Feb 24, 09 19:42

"Windows Forensic Analysis" contains some of what you're looking for. Unfortunately, in most instances, the specific details of an examination or case are not made available to that level.

I'm sure that spending some time on Google would turn up some interesting information, as well.  
 
  

forenz
Member
 

Re: Alternate Data Streams related cases

Post Posted: Feb 25, 09 00:14

I have "Windows Forensic Analysis" haha, i've already used that as a help. Thats what i thought but i also thought people on here might know better and also - why exactly can ADSes not be viewed in Windows XP? is the answer as simple as there being no native tools or is there a more in depth one? if there is i'd like to know.

Thanks for the reply  
 
  

keydet89
Senior Member
 

Re: Alternate Data Streams related cases

Post Posted: Feb 25, 09 01:12

So, on pg 242 of WFA, the book states that there are no native tools (caveat: this applies to Windows NT, 2000, XP and 2003...fig 5.11 on pg 244 illustrates how to do this on Vista) in Windows that allow you to view arbitrary ADSs.

If you can find a native tool on Windows NT through 2003 that can be used to locate and view arbitrary ADSs, please...I'm sure we'd all love to hear about it.  
 
  

ronanmagee
Senior Member
 

Re: Alternate Data Streams related cases

Post Posted: Feb 25, 09 05:14

Theres a good article with an example of how it might be used ... here

The LADS tool should also help you.

I believe ADS was first introduced to allow windows to be compatible with Macs.

Sysinternals tool called stream may also help.

Ronan  
 
  

darren_q
Member
 

Re: Alternate Data Streams related cases

Post Posted: Feb 25, 09 06:10

ADSspy - www.bleepingcomputer.c...adsspy.php - is another good one  
 
  

ecophobia
Senior Member
 

Re: Alternate Data Streams related cases

Post Posted: Feb 25, 09 08:43

I still have this page bookmarked www2.tech.purdue.edu/c...rkside.pdf

One guy by the name H. Carvey did an excellent write up about ADS. The paper is quite old, so must be the guy who wrote the paper.
Smile Hello Harlan Smile

SANS aalso got something about ADS.
sansforensics.wordpres...spacceexe/  
 

Page 1 of 2
Page 1, 2  Next