GIAC
GCIH · Question #643
GCIH Question #643: Real Exam Question with Answer & Explanation
The correct answer is A: > c:\tools\lads\lads /S c:\Documents. NTFS Alternate Data Streams (ADS) can hide data within the file system, and the LADS tool is designed to recursively enumerate these hidden streams that standard directory listings do not reveal.
Malware Analysis & Advanced Persistent Threats
Question
Which of the following commands will identify hidden file streams within the C:\Documents folder?
Options
- A
c:\tools\lads\lads /S c:\Documents
- B
eventvwr c:\Documents.
- C
type c:\Documents | more
- D
more /r c:\Documents
Explanation
NTFS Alternate Data Streams (ADS) can hide data within the file system, and the LADS tool is designed to recursively enumerate these hidden streams that standard directory listings do not reveal.
Common mistakes.
- B. Event Viewer (eventvwr) displays Windows event logs from the system, security, and application channels and has no ability to inspect NTFS file system metadata or alternate data streams.
- C. The 'type' command outputs the primary data stream of a text file to the console and cannot enumerate or reveal ADS hidden within NTFS file system entries.
- D. 'more /r' is not a valid Windows command for listing file streams; the 'more' command is a text pager utility and does not interact with NTFS alternate data stream metadata.
Concept tested. Detecting NTFS alternate data streams with LADS tool
Reference. https://learn.microsoft.com/en-us/sysinternals/downloads/streams
Topics
#alternate data streams#LADS#NTFS#hidden files
Community Discussion
No community discussion yet for this question.