I have also joined the twittesrphere (tweetaverse?). This is a trial run basis, so please be patient while I figure this all out. I hope to push out my blog updates too (yay for all of you upset with the new Google Reader layout). My twitter name? @sk3tchymoos3. I may tweet some non-technie things in here as well (esp with Santacon 2011 coming up) so be on the lookout!
 |
| I was walking to Starbucks and.... |
You ever wonder the feeling you would have if you saw a unicorn? Something you always heard or read about but never actually saw in the wild? Well I (kinda) got that feeling yesterday when I was searching for Alternate Data Streams in a case I am working. Personally I think I would be more excited if I saw a unicorn... but I digress.
So what are Alternate Data Streams? Well they were basically created for NTFS to deal with Apple file systems and the different ways they handle data. So if we think about the Master File Table, we know its like a library pointing to all the files on you system. NOW, with NTFS, we can have multiple file attributes about our file (like a prequel). One of these attributes is $DATA- which you can add additional data to the file or even point to another file to link the two.
Sound a tad confusing? You can read another explanation here by Dan Mares, or you can click to watch my amazing video. I think I say NPFS for the Apple filesystem, I meant HFS... sorry a bit late in the day here :)
I was actually trying to get AV (I have Microsoft Security Essentials on the VM) to trip on my ADS, and it did not take. I even tried it with an MD5 executable (which AVG did alert on my home system) and an XOR program. AntiVirus detect ADS in different ways-- so mileage may vary. I should also point out legitimate files can use ADS as well, so don't "Panic and Freak Out" if you see some. Investigate, only panic when necessary :)
Links to content mentioned in the video:
- LADS (List Alternate Data Streams)
- Streams (SysInternals)
- FTK Imager
- More fun with ADS by IronGeek
In other news... I am heading to Black Hat Abu Dhabi to asisst in teaching MFIRE (Malware Forensics & Incident REsponse) as well as go to the presentations. It should be a good time... will try and post something about it post-con.
Another thing I am hoping to get involved with is Online DFIR Meetups. Do you get sad when you read Harlan Carvey's blog about the latest NOVA forensics meetup and just wish you could go to something similar? Well thanks to the power of this here internet (and Adobe Flash) you can! The next one is December 15th, and if I can determine what time 8pm EST is in Abu Dhabi and its not unreasonable, I may just try to drop in. Harlan will actually be 'guest speaking' on Volume Shadow Copies, a topic I definitely want to get more educated on. Mike Wilkinson will also be speaking on 'Computers as an Alibi'... which I hope the subtitle is "How WoW Saved My Life".
In all seriousness they sound like good talks and if you are free on the 15th check it out.
2 comments:
Melissa,
Just a couple of things...
First, Thu, 15 Dec isn't so much the "next" online meetup as it is the first.
Second, if you're hoping that the subtitle of Mike's presentation is "How WoW saved my life", why not volunteer to do a presentation that covers that at the next online meetup? I think it sounds interesting, and I'd like to hear more about it.
I am just jealous as it seems like you have a lot of things going on in NoVA in terms of meetings-- wish I took advantage of them when I lived there. I think this is a great way to bridge the gap for people who have a hard time making it to physical meetups
It would be great to do a talk! I give mad credit to people who teach -- seems very stressful! I hope you don't think I wa poking fun?
Post a Comment