Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

W2K NTFS: Alternate Data Streams (ADS)

0 views
Skip to first unread message

Paul Oliver Baccas

unread,
Jan 16, 2001, 7:32:33 AM1/16/01
to
some...@compusmart.ab.ca wrote:
>
> We did a scan for files with associated
> data streams (ADS) on a W2K machine. This
> was done using the tool by Crucial Security.
>
> More than 1000 files with ADS were found. They
> were all graphics files .bmp .tif .jpeg. Maybe
> other graphics formats too; the machine is not
> operating at this time and so this cannot be
> checked.
>
> Some of the files had been generated on a W98
> FAT32 system and were transferred to the W2K
> machine (NTFS) and have not been opened since.
> How did they acquire an ADS?
>
> Also, it appears that when the W2K machine had
> been scanned several weeks ago much less
> files with ADS had been found ... the records
> are somewhat sketchy here. Did they
> acquire and ADS since, and how?
>
> Are these just thumbnails? If so, when are they
> generated? Or is something else storing
> information in the ADS? Comment are much
> appreciated.
>
> Roger

Sorry if this cross post goes over any material. Unfortunately I do not
receive alt.computer.security :-(

If you have a satisfactory answer could you send it to me :-)

Otherwise, does the tool you used produce logs? If so could you
post/send them.

After reading your post I looked at my own machine and for a random BMP
file I get (using some internal utilities) information of this sort.

stream [0] "":
type: security
size: 92

stream [0] "":
type: data
size: 573174

stream [68] ": Q30lsldxJoudresxAaaqpcawXc:$DATA":
type: other streams
size: 7016

stream [90] ":{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA":
type: other streams
size: 0

stream [0] "":
type: unknown
size: 8

stream [64] "":
type: unknown
size: 7


where the ' ' character is 0x05 (the graphic for clubs in cards).

Is this like what you get?

Do you MSDN? Or the Windows 2000 Professional Resource Kit? If so a
search on "alternate data streams" gives 'Chapter 17 - File Systems'
which gives some pointers to what these ADS are doing.

Regards,

pob
--
Paul O Baccas, Virus Researcher, Sophos Anti-Virus
email: paul....@sophos.com http://www.sophos.com
US Support: +1 888 SOPHOS 9 UK Support: +44 1235 559933

0 new messages