Caleb Walter

Alternate Data Streams in Windows

Created when Microsoft made the NTFS File system in NT 3.1

Made for Compatibility with HFSHFS uses Data Forks ; NTFS uses File

ExtensionsMany Applications use ADS to store

Attributes about filesSummary Files for Text are Prime Example

What is ADS?

Can be used to pass on files attached secretly to othersNot well Known to publicGenerally Hidden from All UsersNot very many AVs can detect them accurately

They can store any size and type of fileCompromised / Corrupted Executable for

Example

ADS for Network Security

ADS can be created in multiple waysCreating an ADS in a File

Hard Drive space goes down, File Size does not

Creating an ADS (File)

First Command creates a File and appends some text to it

Second command confirms that file has correct contents

Third command creates a file inside of that file and has Notepad open itIf ADS is successful Notepad will open a

BLANK notepad file.

Creating ADS (File)

You can also create an ADS within an Entire DirectoryEasier Access to ADS Files as exact navigation

isn’t needed

Creating ADS (Entire Directory)

First Command Creates a Directory with C:\Second Command navigates to said new

DirectoryThird Command writes some text to a file that

will be savedFourth Command opens the File within

NotePadAll Contents should be Visible

Creating an ADS (Entire Directory)

Hiding Text is fun and all, but the real power comes in Hiding Executables

Executables can be both hidden in and remotely executed inside an ADSPerfect Malware Hiding Spot

Using an ADS

First Command creates the file that will have the ADS created

Second Command inserts NotePad executable inside the file

Third Command makes sure that only text appears when the file is opened

Fourth Command confirms that while Notepad was put into the file, the reported file size remains the same

Creating the ADS

There are multiple programs that can be used to find ADS within Windows

These programs tend to be standalone and either use CMD or a GUI to find ADS

Detecting an ADS

ADS Spy is a Handy Tool that can scan for ADS within any level of the Windows operating system (Files, Folders, Directory, Drives)

It can also calculate MD5 Checksum for all scanned Files to check for Integrity

It can also delete the Alternate Data Streams without deleting the basefile

ADS Spy

Select which Scanning width you desireQuick Scan only Scans the C:\Windows folderFull Scan scans all recorded NTFS Drives on

the systemScan Only has you select a specific folder to

scan

Detecting with ADS

Scan Results are shown in the File Box on the bottom of GUIIf ADS are detected you can now choose to

remove them using the “Remove Selected Streams Button”

Creating MD5 Checksum will also show within this box for every ADS Detected

Detecting With ADS Spy cont.

Detecting ADS with ADS Spy

HiJackThis is an award winning tool that can scan and detect the contents of the Windows Registry and Hard Drives

Can Save Log Files and submit then for Online Analysis

Includes Other ToolsStartupListAds SpyHOST File Manager

HiJAckThis

On Main Screen navigate to Misc Tools and select ADS SpyThis is where you will also find all the other

handy HiJackThis Tools; NT Service HOSTS Manager, etc

There are multiple Similar Options here to useQuick ScanIgnore safe System FileCalculate MD5

HiJack This Detection

Detecting with HiJackThis

Results from any scan will show in Data BoxMultiple Options for dealing with new found

filesSave Log to submit for Online Expert AnalysisRemove Selected to remove selected streams

Detecting with HiJackThis

Hiding Executables inside files for Remote Execution Later

Hiding Videos for transport inside a file

Practical Uses for ADS

http://www.irongeek.com/i.php?page=security/altdshttp://www.forensicfocus.com/dissecting-ntfs-hidden-streams

http://www.bleepingcomputer.com/tutorials/windows-alternate-data-streams/

References