Loading presentation...

Present Remotely

Send the link below via email or IM

Copy

Present to your audience

Start remote presentation

  • Invited audience members will follow you as you navigate and present
  • People invited to a presentation do not need a Prezi account
  • This link expires 10 minutes after you close the presentation
  • A maximum of 30 users can follow your presentation
  • Learn more about this feature in our knowledge base article

Do you really want to delete this prezi?

Neither you, nor the coeditors you shared it with will be able to recover it again.

DeleteCancel

Antiforensics y la Alquimia de los Bits v1.0

ADS y otras técnicas de ocultar información
by

Juan Carlos Ruiloba Castilla

on 2 November 2014

Comments (0)

Please log in to add your comment.

Report abuse

Transcript of Antiforensics y la Alquimia de los Bits v1.0

Antiforensics y la Alquimia de los Bits
ALTERNATE DATA STREAM
(Flujos Alternativos de Datos: ADS)
NTFS permite guardar flujos alternativos junto al principal con solo especificar un nombre interno
Notas ADS
Flujo principal es el "$DATA"

Tantos ADS como memoria disponible

Política es que el usuario no use los ADS ==> solución: "<" y ">"

":" ==> confusión ==> solución: uso de rutas absolutas

Hash no varía por ADS's

Al comprimir se pierden los ADS's ... salvo "rar"

MIME y Base64 ignora ADS's
Notas ADS
Transferencias FTP, HTTP ignoran los ADS

Copia de NTFS a NTFS, redes Samba los mantiene
fichero[:flujo[:tipo]]
Útiles ADS
Nuevos alquimistas
1981. Memoria: 1680 bytes = 1.6 Kb
Demo Firm
Lads : http://www.heysoft.de/en/software/lads.php

Streams: http://technet.microsoft.com/en-us/sysinternals/bb897440

Copy_ads: http://www.dmares.com/maresware/html/copy_ads.htm

ADS Spy: http://www.bleepingcomputer.com/download/ads-spy/

AlternateSreteamView: http://www.nirsoft.net/utils/alternate_data_streams.html

DIR /R

Demo ADS's
Full transcript