Sunday, September 6, 2009

ADS [ Alternate Data Stream ] : NTFS - The Dark Side

ADS [ Alternate Data Stream ] : NTFS - The Dark Side

The feature of NTFS from WinNT v3.1 onwards which is very dangerous as can be used to hide files on your system even undetected from several Antivirus, and other Security Products.

This ADS can even be used to hide malicious files, so to counter such covert attacks one need to figure out the the unwanted files in ADS on their disk drives.

To hide files in ADS (say adsF.ext into ADS of mainF.ext), at command prompt
cmd:\> type adsF.ext > mainF.ext:adsFile.ext
Now to access it (say it opens in Notepad)
cmd:\> notepad mainF.ext:adsFile.ext

For this several professional tools can be used, like
HijackThis (from Trend Micro) : http://free.antivirus.com/
Lads (from Heysoft) : http://www.heysoft.de/en/software/lads.php?lang=EN
SFind (in Forensic Toolkit) : http://www.foundstone.com/us/resources/

Here we discuss how to use ADS to hide files... and how to secure yourself from files in ADS.

To get a live demo Video on this stuff watch the video below:
http://blip.tv/file/2565748
or
http://www.youtube.com/watch?v=h96meoDYWSg

No comments:

Post a Comment