ADSCheck

NTFS Alternate Data Stream
checker-extractor-remover

Check is a security tool for Windows® NTFS 4/5.x (2000, XP and Server 2003) designed to check for the presense of Alternate Data Streams which— with their current implementation— represent a security risk offering crackers a good means to hide their gear in the victim system. ADSCheck can also extract ADS for later examination and/or delete them. It generates a tab-delimited text report in unicode, thereby making it easy to examine it using a database application. There are also verbose and quiet switches to tweak its operation to user's needs.
If ADSCheck does find ADS, it automatically launches Windows® “notepad.exe” on the report if option— reproting— chosen, unless this option— auto launch of notepad— was suppressed with a command-line switch. If it does not find any, it deletes the report file, as its contents will be useless.
A 2-level detailed help on usage is in the program itself.



Screenshot showing a demontration of ADSCheck's operation: scanning for, extracting and reporting ADS.
Here's another screenshot showing a part of the generated report, edited for brevity.
And here's a third screenshot showing how extracted files look like.

ADSCheck is 'free software' licensed under the GNU GPL v2.

Latest production version: v1.0.0.46.
Download C++ source code.
Download i386 binary.

Dr. Hatem Kawashti
23 Sep 2005.













SourceForge.net Logo