0% found this document useful (0 votes)
203 views16 pages

Lab 14: Using TSK For Network and Host: Because Teaching Teaches Teachers To Teach

This document discusses how to use The Sleuth Kit (TSK) to detect alternate data streams (ADS) that can be used to hide files and data on NTFS drives. It explains that ADS are pieces of hidden metadata that are invisible in Windows Explorer. The document outlines different tools that can be used to discover and view ADS, including analyzing the master file table to find ADS information. It also discusses how TSK can help detect hidden files and malware by looking for discrepancies between file timestamps.

Uploaded by

Henry Wiliam
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
203 views16 pages

Lab 14: Using TSK For Network and Host: Because Teaching Teaches Teachers To Teach

This document discusses how to use The Sleuth Kit (TSK) to detect alternate data streams (ADS) that can be used to hide files and data on NTFS drives. It explains that ADS are pieces of hidden metadata that are invisible in Windows Explorer. The document outlines different tools that can be used to discover and view ADS, including analyzing the master file table to find ADS information. It also discusses how TSK can help detect hidden files and malware by looking for discrepancies between file timestamps.

Uploaded by

Henry Wiliam
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 16

Lab 14: Using TSK for Network and

Host
I

Because teaching teaches


teachers to teach
Alternate data streams (ADS)
2

 Explorer and command-line directory listings (via


cmd.exe) don’t show data in ADS, so this allows
malware to hide files from anyone who doesn’t have
special tools to view them.
 In this recipe, we’ll discuss how those tools work and
how you can leverage TSK to detect ADS on both live
systems and mounted drives.

2
Alternate data streams (ADS)
3

Alternate Data Streams (ADS) are


pieces of info hidden as metadata on
files on NTFS drives. They are not
visible in Explorer and the size they
take up is not reported by Windows.

3
“Hide” data LEVEL 1
4

4
“Hide” data LEVEL 2
5

5
Detect “Hide” data
6

6
Why ADS is not good?
7

 Alternate Data Streams (ADS) have been given a bad


reputation because their capability to hide data from
us on our own computer, has been abused by
malware writers in the past.

7
Using TSK or autospy
8

 To discovery ADS
 To detect hidden files

8
To discovery ADS
9

 lads.exe1 by Frank Heyne


 lns.exe2 by Arne Vidstrom
 sfind.exe3 by Foundstone
 streams.exe4 by Mark Russinovich

9
streams.exe
10

10
Analyzing the Master File Table (MFT) for ADS Info
11

 mmls \\.\PhysicalDrive0

11
Analyzing the Master File Table (MFT) for ADS Info
12

 fls –o2048 -r -p \\.\PhysicalDrive0

:SecretTwo.txt:$DATA 16
:SecretWord.txt:$DATA 18
:SecretWord2.txt:$DATA
0
:SecretWordHere.txt:$DATA
12

12
To detect Hidden Files
13

 Using tsk-xview.exe

13
To detect malware
14

 Eight timestamps:
 4 from the $STANDARD_INFORMATION Attribute (SIA)

 4 from the $FILE_

 When malware uses SetFileTime to change the last


access, last write, or creation time of a file, the
change applies only to the timestamps in the
SIA.NAME Attribute (FNA)

14
To detect malware
15

 Using tsk-xview.exe

15
Q&A

16

You might also like