CFRS - Alternate Data Streams (NTFS) and MRU
What are the zone identifiers?
0 My computer 1 Local Intranet Zone 2 Trusted sites zone 3 Internet Zone 4 Restricted sites zone
What is the MRU?
Most recently used files
Primary stream
$DATA:""
Alternate Data stream
$DATA:stream1
Every NTFS file has a
$Data with file contents
How many zone identifiers are there?
5
Why are we intersted in ADS?
Data is hidden there Run exe code from there
ADS
File attribute found on NTFS Attach to a file or directory File sizes are unchanged
Show content of a stream
Get-Content-path ./somefile Stream stream1
Show all streams (powershell)
Get-item-path .\somefile -stream *
How to view data streams
Stream(Technet) Dir/R(cmd.exe) Get-item-path C:\data\ -stream * (Powershell) Get-content-path C:\data\file.ext -stream "stream name" (powershell)
Uses for ADS
Thumbnails Right mouse click Anti-virus and back up software Downloading a file (goes to a zone identifer)
In power shell what is the Identifier for the zones?
Zone Id=[0-4]
More than 1 $Data attributes
considered an alternate data stream
Create a stream
echo "bad malware stuff" > [somefile]:stream1 more < [somefile]:stream1 "bad malware stuff"
What is the MRU List
handles the creation of new source lists and their location on the machine
Where do you find MRU's?
in the Registry in the NTUSER.dat(home dir) in the UsrClass.dat(users home dir)
Show the $Data attribute
use dir /R [somefile]
Why is the MRU of digital Forensic interest?
when a file is deleted, artifacts such as MRU's are still there
What is a jump list?
when you right click on a program Icon
Can data streams obscure data
yes, intentionally or by accident