ADSCheck
NTFS
Alternate Data Stream
checker-extractor-remover
Check
is a security tool for Windows® NTFS 4/5.x
(2000, XP and Server 2003) designed to check for the presense of
Alternate Data Streams which— with their current
implementation— represent a security risk offering crackers a
good means to hide their gear in the victim system. ADSCheck can also
extract ADS for later examination and/or delete them. It generates a
tab-delimited text report in unicode, thereby making it easy to
examine it using a database application. There are also verbose and
quiet switches to tweak its operation to user's needs.
If ADSCheck
does find ADS, it automatically launches Windows® “notepad.exe”
on the report if option— reproting— chosen, unless this
option— auto launch of notepad— was suppressed with a
command-line switch. If it does not find any, it deletes the report
file, as its contents will be useless.
A 2-level detailed help on
usage is in the program itself.
Screenshot
showing a demontration of ADSCheck's operation: scanning for,
extracting and reporting ADS.
Here's another screenshot showing a
part of the generated
report, edited for brevity.
And here's a third screenshot
showing how extracted
files look like.
ADSCheck is 'free software' licensed under the GNU GPL v2.
Latest production version: v1.0.0.46.
Download
C++ source code.
Download
i386 binary.
Dr.
Hatem Kawashti
23 Sep 2005.