Lots of apologies that I haven’t been blogging lately. I have recently got married, and as you can imagine that has taken up a lot of my time! I’m currently doing a course called the Certified Malware Investigator run by 7Safe, and one of the practical exercises in today’s session was on Alternate Data Streams (ADSs). I’ve been playing around with these and here is a quick summary!

What are ADSs?

From the Microsoft definition, "A stream is a sequence of bytes. In the NTFS file system, streams contain the data that is written to a file, and that gives more information about a file than attributes and properties." What this means is all files in NTFS have at least one stream i.e. the actual data of the file. You can create alternative streams to add in more information. Interestingly, alternate streams are not listed in Windows Explorer, their size is not included in the file's size and ADSs can be added to folders as well as files. It’s also quite difficult without admin or forensics tools to get to the ADS data.

Why would you use an ADS?

There aren’t that many good reasons to be honest, and they aren’t used frequently apart from all downloads on a Windows XP – 7 machine (8 unconfirmed). Legitimate uses include:

1. Extra file metadata such as composer, genre etc for music files
2. IE and Firefox (other browsers unconfirmed) adds in a :Zone.Identifier ADS to all downloaded files from the browser. This means that Windows can warn the user that the file is potentially unsafe. The contents of this ADS will be similar to the below, which is what I found in my downloaded files:

   [ZoneTransfer]
   ZoneId=3

So why are ADSs forensically interesting?

1. You can potentially identify all files which have been downloaded by looking for any :Zone.Identifier ADSs. This might be useful in determining the origins of a file if the internet history is not present or the file has been copied from one NTFS share to another.
2. As you can imagine, because they are hard to see from a user’s perspective, malware can use ADSs to hide executables and all sorts of nasty things in legitimate files. One example for this is Poison Ivy. It might be worth running a scan for any malware cases you are investigating.

How do I find ADSs?

Use SysInternal's stream.exe or NTSecurity’s lns.exe tools to point to a directory to get any ADSs. They have to be referenced exactly to get the data out.

Once you have the name of the ADS, use a command like so to extract out the ADS data:

mklink ads [file with ads]:[ADS name] && type ads > [outputfile] && del ads

I would not give an extension to the output file as you don’t know what it will be (although Zone.Identifier one’s are text, so you can put in .txt) and then check the file contents first with a hex editor to determine what to use to open it.

Further reading

Sadly, ADSs only work on NTFS. I have an example of a png ADS for a text file, but this will be stripped out if put into a zip file, emailed, put onto FTP or HTTP server etc. So instead of giving an example to download, here is some further reading:

• ADS: The forgotten art of information hiding
• Dissecting NTFS hidden streams
• Ultimate guide on manipulating alternate data streams
• Copy, delete or rename ADS using only standard Windows command prompt tools