O'Reilly logo

Windows Forensics and Incident Recovery by Harlan Carvey

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

File Attributes

The easiest way to hide data on a live file system is to simply change the name or extension of the file in question. Changing the name of a program from “malware.exe” to something innocuous such as “sol.exe” would very likely hide it from a casual observer. An administrator specifically looking for something suspicious may be just as likely to miss it, as well, particularly if it were in a directory where such files are expected to be seen. For example, the executable image for the Solitaire card game, sol.exe, is located in the %WINDIR%[1]\system32 directory on most Windows systems.

[1] See %WINDIR% is an environment variable that points to the directory where Windows is installed; it translates to C:\WINNT on Windows NT and ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required