The Setup
I created two text files; one with the contents being "Hello World!", the other containing "ssn: 333-44-5555." Identity finder will flag any files with a social security number or a credit card number or anything close. I probably didn't even need to put the fake ssn in that format, as Identity Finder will flag any file with a 9 digit number in it. None-the-less, I did, and the file should be flagged.
Now, to ADS-ing a document. From the command line I ran:
> type ads_data.txt > doc1.txt:a.txt
Voila! That's it! An ADS file has been created. Again, while in a shell, if you run 'notepad doc1.txt', you will see "Hello World!" However, if you run 'notepad doc1.txt:a.txt' you will see the contents of the ADS file. The neat thing is that the containing folder only contains one document. That being the doc1.txt file. The alternate data stream is not visible at all. Pretty cool stuff huh? Well, I thought it was! Okay so ADS hiding is more like using the invisibility cloak than the room of requirement. And that will be my last Harry Potter reference.
Identity Finder Scan
So, now it's time to scan my machine to see if Identity finder would locate the ADS file. I separated the ads_data.txt and doc1.txt files into different folders just for safe keeping. The scan completed in approximately 2 hours. The end result is, insert drum roll here, Alternate Data Stream wins! Identity Finder flagged the ads_data.txt file, but did not catch the doc1.txt:a.txt file. I expected it to find something in doc1.txt. I thought Identity Finder would run a more thorough scan, but apparently it does not.
So, what's next?
I'm going to see if I can get bmap running and try to do some slack space packing. (I've got a copy of the BCCD, since I can't get it compiled on my own.)
References
http://www.windowsecurity.com/
http://support.microsoft.com/
http://www.informit.com/
http://www.linuxsecurity.com/content/view/117638/49/
No comments:
Post a Comment