'Testing freeware ADS detection programs'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       forensics
Subject:    Testing freeware ADS detection programs
From:       H C <keydet89 () yahoo ! com>
Date:       2001-12-07 17:02:14
[Download RAW message or body]

Tools examined
streams.exe from SysInternals
sfind.exe from FoundStone
CrucialADS from CrucialSecurity
lads.exe from HeySoft.de (Frank Heyne)

Note:  All tools were downloaded from the author's web
sites on 5, 6, and 7 Dec, 2001.

Testing platform is Win2K.

Methodology
Create a directory called 'c:\ads'.  Create several
ADSs within the directory, attached to both the
directory listing as well as files.  Do so using the
'type' command.  Also, add an ADS to a file using
Explorer...select the file, right-click on it, select
Properties, and then Summary.  Fill in arbitrary info,
and save.

All tools are located in c:\tools.  

Results
-----------------------------------------------------
I started by running the command:

c:\tools>lads c:\ads

The result was:

Scanning directory c:\ads\

      size  ADS in file
----------  ---------------------------------
     50960  c:\ads\:np.exe
     50960  c:\ads\:np3.exe
       120  c:\ads\myfile.txt:?SummaryInformation
        28  c:\ads\myfile.txt:hidden.txt
     34064  c:\ads\myfile.txt:sol.exe
         0 
c:\ads\myfile.txt:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
     50960  c:\ads\myfile2.txt:np.exe

    187092 bytes found in 7 alternate data streams

The results of lads.exe show exactly what I've put in
the test directory.  I have 2 copies of Notepad.exe
associated with the directory listing, a copy of
Solitaire associated with a file, and various and
other sundry ADSs.  The two odd ADSs are a result of
saving Summary information for myfile.txt via Windows
Explorer.

Next, I ran sfind.exe from FoundStone's
ForensicToolkit:

C:\tools>sfind c:\ads

The results are as follows:

Searching...
c:\ads
  myfile2.txt:np.exe Size: 50960
Finished

That's odd.  So then I checked the syntax:

C:\tools>sfind /?
Seek and Destroy - Information Warfare

SFind v1.2.2 - Copyright(c) 1998, Foundstone, Inc.
Alternate Data Stream Finder
Programming by JD Glaser - All Rights Reserved
        Usage - sfind [path] /ns
        [dirpath]       Directory to search - none
equals current
        -ns             Skip sub-directories
        - or /          Either switch statement can be
used
        -?              Help
COMMAND PROMPT MUST HAVE A MINIMUM WIDTH OF 80
CHARACTERS
Zechariah 12:9 - "I will seek to destroy all nations
who oppose Jerusalem"

See http://www.foundstone.com for updates/fixes

Okay.  So then I tried moving up a directory and
running: 

C:\tools>sfind c:\

At this point, sfind.exe began checking the entire
hard drive.  While it did find some ADSs I'd put into
another directory for a different test, it never
reported finding the ADSs in c:\ads.  Also, sfind.exe
seemed to be stuck in a loop...it reported finding the
ADSs in the other directory 3 times, and continued
searching the same directories and files over and over
again...I stopped the program with Ctrl-C after the
third sweep.

I followed that with one more test:

C:\tools>sfind c:\ads\*
Searching...
Finished

Ah...it didn't find the ADSs.  On to the next
tool...streams.exe from SysInternals:

C:\tools>streams c:\ads

This resulted in:

Streams v1.3 - Enumerate alternate NTFS data streams
Copyright (C) 1999-2001 Mark Russinovich
Sysinternals - www.sysinternals.com

c:\ads:
          :np.exe:$DATA 50960
         :np3.exe:$DATA 50960

Okay, let's try another command:


C:\tools>streams c:\ads\*

This one resulted in:

Streams v1.3 - Enumerate alternate NTFS data streams
Copyright (C) 1999-2001 Mark Russinovich
Sysinternals - www.sysinternals.com

c:\ads\myfile.txt:
   :?SummaryInformation:$DATA   120
      :hidden.txt:$DATA 28
         :sol.exe:$DATA 34064
   :{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}:$DATA      
 0
c:\ads\myfile2.txt:
          :np.exe:$DATA 50960

Okay, so there are the ADSs associated with the file. 
For the syntax of the command, you have to go to
http://www.sysinternals.com/ntw2k/source/misc.shtml#Streams
and you'll see: 

Usage: streams [-s] <file or directory>

-s         Recurse subdirectories.

Streams takes wildcards e.g. 'streams *.txt'.

Finally, the last tool is CrucialADS.  This tool is
GUI based, and when it opens, your only choices are a
drop-down box of available NTFS drives.  The tool
scanned quickly, and reported the ADSs it found (and
it found all of them) in red text.

Conclusion
------------------------------------------------------
lads.exe is by far the best tool available.  B/c it's
a CLI tool, it can be easily scripted, and the output
can be piped across a socket (netcat) during a 'live'
forensics investigation.  While CrucialADS found the
ADSs with as little user interaction as lads.exe, it's
not nearly as flexible as lads.exe.




__________________________________________________
Do You Yahoo!?
Send your FREE holiday greetings online!
http://greetings.yahoo.com

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic