|
Brought to you by:
Suppliers of:
|
|
|
| |
Streams, is a new concept in the NTFS file system which represents a property of a file.
Within a stream, it is possible to hide information in any size, where the existance of this information is not shown in the filesystem.
The only way to extract that information is to know the stream's name.
This, of course, presents a possible security challenge. |
| |
Credit:
For more information about the utility, and for a white paper on
Streams, visit March: http://streams.march.co.uk/
Also, see:
http://www.foundstone.com/knowledge/termsofuse.html?filename=ForensicToolkit20.zip.
|
| |
NTFS, which is often used by NT users, allows files to accomodate Streams.
Streams are hidden "properties" that can hold unlimited information.
For example, if you have NT4 or NT5, go to command prompt, and type the following:
echo Securiteam's password is: Aloha > password:party
Now type: dir
You see an empty file called password, with the size of 0 bytes!
How can this be? We know it holds our password! Microsoft documents very little of the streams feature in NTFS. It is assumed that there is no way to know which streams exists in a given file.
This has major security issue. It means we can hide information inside files, and the only way to read this information is by knowing the name of the stream. Typing the content of the file wont reveal the content of the stream (try it!) The only way to expose our password is by typing:
more < password:party
Another security concern is the file quota. If we let user create a file, s/he can put as much information in it as s/he wants, while keeping the file size 0! The hard drive will be filling up, and the administrator will never know what is taking up the space.
Apparantenly, Windows NT 5.0 (which uses NTFS 2) will offer a way to know which streams exist in a file.
Until then, a company called March Information Systems (http://streams.march.co.uk/) offer a small utility that shows all the streams present on the system.
|
|
|
|
|
