I'm sure it comes as no great shock that I am a member of a number of listserves on digital forensics. One question that seems to come up every few weeks is NTFS Alternate Data Streams. There have been many excellent articles on ADS, so I don't propose to go heavily into the details here. I will just include an overview and some of the better references. This is a basic overview. If you want more details, check out the links for some really good write-ups.
What are Alternate Data Streams?
Alternate Data Streams (ADS) have been around since the introduction of windows NTFS. They were designed to provide compatibility with the old Hierarchical File System (HFS) from Mac which uses something called resource forks.
Basically, ADS can be used to hide the presence of a secret or malicious file inside the file record of an innocent file. That is, when windows shows you a file, say "readme.txt", the metadata that tells your system where to get "readme.txt" may also contain information for "EvilSpyware.exe". Thus, malicious files may be on your system and you cannot see them using normal means.
How are ADS used?
A blackhat on your system can trojanize one of your regular, trusted files and use it to hide their toolkit so that your system will not see it. Or, a criminal may use the technique to hide something on their own system so that others will not readily find it.
To see how easy this is, try it yourself:
- Go to a temp directory and create a txt file
- Right Click, select New > Text document, enter the name "readme"
- Open the file in notepad and enter text "I am a harmless file". Save and close.
- Open a command prompt Start > Run? , enter "cmd", click OK
- In the command window, go to your temp directory.
- Type the following to confirm that you have a good victim file: notepad readme.txt
- A notepad window will pop up and show your harmless text.
- This has all been setup. Now we get to the ADS part.
- Type the following to save secret notes to a different text file and hide the reference to that text file inside of "readme.txt", echo this is my list of secret evil stuff > readme.txt:secret.txt
- Now if you type the following you will see only your original file... "notepad readme.txt"
- ? but if you type this, you will see your secret message "notepad readme.txt:secret.txt"
- Not only can you hide text, but you can hide executable as well. You also don't need to use a txt file as the host for hiding your file. Several other file formats, including directories can be used to hide files. For a great discussion of both of these techniques, check out http://www.irongeek.com/i.php?page=security/altds and http://www.windowsecurity.com/articles/alternate_data_streams.html
How can I detect ADS?
There are quite a number of ADS tools out there at the moment, here are a few to get you started.
Enjoy!
Quinn Shamblin, GCFA Silver #2801, Investigator, University of Cincinnati Information Security — quinn.shamblin@uc.edu.
