Corey Harrell · Dec 12, 2012 · 3:30 AM UTC

Corey Harrell @corey_harrell

12 Dec 2012

New jIIr post: Extracting ZeroAccess from NTFS Extended Attributes journeyintoir.blogspot.com/2… examining NTFS Extended Attributes #DFIR

Hal Pomeranz · Dec 12, 2012 · 9:51 AM UTC

Hal Pomeranz · Dec 12, 2012 · 9:51 AM UTC

Hal Pomeranz @hal_pomeranz

12 Dec 2012

@corey_harrell I know TSK's fls will show alt data streams ("fls -rp <img> | grep ':.*:'"). Does it also have a mode where it shows $EA?

Dec 12, 2012 · 9:51 AM UTC

Corey Harrell · Dec 12, 2012 · 12:23 PM UTC

Corey Harrell @corey_harrell

12 Dec 2012

@hal_pomeranz I looked at all fls switches & it doesn't show $EA. istat doesn't have a recursive mode either. One reason I used a mft parser

Hal Pomeranz · Dec 12, 2012 · 12:50 PM UTC

Hal Pomeranz @hal_pomeranz

12 Dec 2012

@corey_harrell Of course istat has a recursive mode-- it's called bash shell scripting... :-)