CFRS - Alternate Data Streams (NTFS) and MRU

What are the zone identifiers?

0 My computer 1 Local Intranet Zone 2 Trusted sites zone 3 Internet Zone 4 Restricted sites zone

What is the MRU?

Most recently used files

Primary stream

$DATA:""

Alternate Data stream

$DATA:stream1

Every NTFS file has a

$Data with file contents

How many zone identifiers are there?

5

Why are we intersted in ADS?

Data is hidden there Run exe code from there

ADS

File attribute found on NTFS Attach to a file or directory File sizes are unchanged

Show content of a stream

Get-Content-path ./somefile Stream stream1

Show all streams (powershell)

Get-item-path .\somefile -stream *

How to view data streams

Stream(Technet) Dir/R(cmd.exe) Get-item-path C:\data\ -stream * (Powershell) Get-content-path C:\data\file.ext -stream "stream name" (powershell)

Uses for ADS

Thumbnails Right mouse click Anti-virus and back up software Downloading a file (goes to a zone identifer)

In power shell what is the Identifier for the zones?

Zone Id=[0-4]

More than 1 $Data attributes

considered an alternate data stream

Create a stream

echo "bad malware stuff" > [somefile]:stream1 more < [somefile]:stream1 "bad malware stuff"

What is the MRU List

handles the creation of new source lists and their location on the machine

Where do you find MRU's?

in the Registry in the NTUSER.dat(home dir) in the UsrClass.dat(users home dir)

Show the $Data attribute

use dir /R [somefile]

Why is the MRU of digital Forensic interest?

when a file is deleted, artifacts such as MRU's are still there

What is a jump list?

when you right click on a program Icon

Can data streams obscure data

yes, intentionally or by accident