Sorry if this cross post goes over any material. Unfortunately I do not
receive alt.computer.security :-(
If you have a satisfactory answer could you send it to me :-)
Otherwise, does the tool you used produce logs? If so could you
post/send them.
After reading your post I looked at my own machine and for a random BMP
file I get (using some internal utilities) information of this sort.
stream [0] "":
type: security
size: 92
stream [0] "":
type: data
size: 573174
stream [68] ": Q30lsldxJoudresxAaaqpcawXc:$DATA":
type: other streams
size: 7016
stream [90] ":{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA":
type: other streams
size: 0
stream [0] "":
type: unknown
size: 8
stream [64] "":
type: unknown
size: 7
where the ' ' character is 0x05 (the graphic for clubs in cards).
Is this like what you get?
Do you MSDN? Or the Windows 2000 Professional Resource Kit? If so a
search on "alternate data streams" gives 'Chapter 17 - File Systems'
which gives some pointers to what these ADS are doing.
Regards,
pob
--
Paul O Baccas, Virus Researcher, Sophos Anti-Virus
email: paul....@sophos.com http://www.sophos.com
US Support: +1 888 SOPHOS 9 UK Support: +44 1235 559933