Purpose:In this lab, you will learn how to recognize data hidden using ADS.Consi
Purpose:In this lab, you will learn how to recognize data hidden using ADS.Consider a PC on which individuals could hide and pass information covertly and no one would be able to readily detect their presence or an attack on a system allowing the attacker to use up all of your available disk space, without you knowing why you cannot save any additional data as the system still reports plenty of additional disk space available. Such is the threat that alternate data streams presents to both Unix and Windows systems in which data can be stored in a file’s main unnamed data stream. As Windows does not come with native tools enabling you to see which files have streams attached to them, we have to rely on 3rd party tools to routinely review our file system for the presence of these covert files. In this lab, you will create an ADS and view it using a Sysinternals tool available now from Microsoft’s website. Lab requirements:NTFS partition A forensic tool to display the Stream – recommend either SFind (available from Foundstone at McAffee – under the Resources link) or Streams by SysInternals (available from http://live.sysinternals.com/Files/ (Links to an external site.)). Download the Streams.zip file from Microsoft and unzip to access the executable. Lab Steps:Hiding text:Create a folder named ADSLAB Expand the Streams.zip file into the ADSLAB folder Create a folder under ADSLAB named Myfiles In the Myfiles folder, create a couple of text files (by clicking on File – New – Text Document – name these files anything you want). Create a new text file named test.txt View the file details – note how large is the "text.txt" file and get a screen capture that shows the size. From the command prompt type echo - lets hide our illegal files in this file>test.txt:stream. You have just created a stream named stream that is associated with the file named test.txt. Display the file by typing DIR Note that when you view the file size it is still reported as 0. Save a screen capture of that. Open the file in Notepad. Note that the file looks empty when you open it in any text editor. Save another screen capture. To see your stream enter more < test.txt:stream (the type command doesn't accept stream syntax so you have to use more). Did you see the data? Keep in mind that there is not a limit to the amount of data that can be associated with the file!! Detecting ADS:At the cmd prompt, change directories to the ADSLAB directory where your streams.exe file resides. If you do not know how to change directories, Google search is your friend! Type streams –s myfilesthis is executing the file streams.exe using the recursive switch against the myfiles directory to report any files containing ADS. Did Streams report the correct file? Delete the stream using the streams –d switch. Lab Report: What controls do you think could be implemented to protect a system from users keeping covert data on the system using ADS? Submit at least 2 or 3 specific solutions. Be sure to submit all the screen shots showing how you performed the steps above. Download/print these instructions:streams-NTFS.doc (Word) streams-NTFS.pdf (PDF) 3. To Submit: Click the Submit Button link above.Grading:This assignment is worth up to 50 points towards your final grade. Points will be deducted for any missing screen captures or steps. You will receive 40 points for including all required screen captures and following all the directions above. You will receive up to 10 points for providing specific solutions.Were you able to perform all of the steps above? What did you learn? Please include a couple of screen shots.What controls would you implement to protect you system from users keeping covert data on the system using ADS? Requirements: provide screenshots and answer the questions

Leave a Reply

Your email address will not be published. Required fields are marked *