Re: KSSA-003 - Multiple windows file wiping utilities do not properly wipe data with NTFS

From: Stewart Berman (sab@SABERMAN.COM)
Date: 01/21/02


Date:         Mon, 21 Jan 2002 17:46:46 -0500
From: Stewart Berman <sab@SABERMAN.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Side effects of testing can be strange:

Windows 2000 SP2 Windows For Work groups Networking

Logged in as a Power User -- Non Administrator

Ran the Lads software:

lads C:\ /s

One of the error messages was:
Error 32 opening C:\Documents and Settings\BENT\Local Settings\Application
Data\Microsoft\Windows\UsrClass.dat: The process cannot access the file
because it is being used by another process

Now that is reasonable considering that Backup Exec is always logged on and
running. However, the user that I was logged in with does not have access
to the C:\Documents and Settings\BENT directory. If I click on it in
Explorer I get access denied. I cannot even view the security settings
using the logged in user.

I then logged on as administrator and created a file with an alternate data
stream in the administrator's desktop. Logged off and logged back on as a
power user. Ran lads:

C:\>c:\build\utilities\lads\lads "C:\Documents and Settings" /s

LADS - Freeware version 2.12
(C) Copyright 1998-2000 Frank Heyne Software (http://www.heysoft.de)
This program lists files with alternate data streams (ADS)
Use LADS on your own risk!

Scanning directory C:\Documents and Settings\ with subdirectories

       size ADS in file
- ---------- ---------------------------------
         47 C:\Documents and
Settings\Administrator\Desktop\file.txt:alternate-d
ata-stream

(Note: If LADS is run against "C:\Documents and Settings\Administrator" it
properly reports that it cannot find the directory.)

Again, the user I was logged in with did not have access to the
Administrator directory or subdirectories. So how did LADS enumerate the
directories and files and open the file.txt file to check for an alternate
data stream?

Stu

At 08:44 PM 1/20/2002 -0700, you wrote:
>-----BEGIN PGP SIGNED MESSAGE-----
>Hash: SHA1
>
>[url3] http://www.heysoft.de/nt/ep-lads.htm - List alternate data streams.

-----BEGIN PGP SIGNATURE-----
Version: PGP for Personal Privacy 5.5.3

iQA/AwUBPEyYXNULzpIzI+8jEQL/mQCfeJbJTuexfkB3Q0hf5VwoPyCiBewAn1Rp
mlIYbj1sWp/q9BwOZk0KZ68C
=HmMP
-----END PGP SIGNATURE-----

============================================================================
Delivery co-sponsored by VeriSign - The Internet Trust Company
============================================================================
FREE E-COMMERCE SECURITY INFRASTRUCTURE GUIDE
When building an e-commerce site, you want to start with a strong, secure
foundation. Learn how with VeriSign's FREE White Paper, "Building an
E-Commerce Trust Infrastructure." See how you can authenticate your site to
customers, use 128-Bit SSL encryption to secure your web servers, and accept
secure payments online. Click here:
http://www.verisign.com/cgi-bin/go.cgi?a=n116965650045000
============================================================================