RE: How to hide a file ?

From: Matthew LaGrange (lagra100@chapman.edu)
Date: 01/08/02 

From: "Matthew LaGrange" <lagra100@chapman.edu>
To: <vuln-dev@security-focus.com>
Date: Tue, 8 Jan 2002 11:40:52 -0800

I was reading that there are 5 ways to running an exe with ADS in NTFS 5
how is that done with other than start ?
-Matthew

-----Original Message-----
From: Altheide, Cory [mailto:CAltheide@broadband.att.com]
Sent: Tuesday, January 08, 2002 10:25 AM
To: vuln-dev@security-focus.com
Subject: RE: How to hide a file ?

It's not an incredibly crucial issue, no, but if you create an ADS on,
say,
explorer.exe, it alters the modified date. When doing a cursory
examiniation of the last modified files, explorer.exe would look fairly
suspicious.

Pagefile.sys, however, would not. ;)

Cory Altheide
Internet Security Coordinator
AT&T Broadband Legal Demands Center
 

> -----Original Message-----
> From: H C [mailto:keydet89@yahoo.com]
> Sent: Tuesday, January 08, 2002 11:22 AM
> To: Altheide, Cory; vuln-dev@security-focus.com
> Subject: RE: How to hide a file ?
>
>
> Cory,
>
> > Just a quick note on hiding using data streams...
> >
> > While the streams themselves are transparent,
> > creating an alternate data
> > stream does alter the modified date of the "parent"
> > file.
>
> You're correct, but I'm not sure where thats really
> even an issue.
>
> 'touch' utilities are trivial. In fact, I recently
> put a Perl script up on my site that shows
> programmatically how to do this via the Win32 API.
> Nothing new, of course, other than the fact that the
> script allows the user to change the creation date, as
> well as the last access and write times.
>
> However, I started a separate thread on this issue on
> the Forensics list, so I won't belabour it here...
>
>
> __________________________________________________
> Do You Yahoo!?
> Send FREE video emails in Yahoo! Mail!
> http://promo.yahoo.com/videomail/
>

Loading