Lots of apologies that I haven’t been blogging lately. I have recently got married, and as you can imagine that has taken up a lot of my time! I’m currently doing a course called the Certified Malware Investigator run by 7Safe, and one of the practical exercises in today’s session was on Alternate Data Streams (ADSs). I’ve been playing around with these and here is a quick summary!
From the Microsoft definition, "A stream is a sequence of bytes. In the NTFS file system, streams contain the data that is written to a file, and that gives more information about a file than attributes and properties." What this means is all files in NTFS have at least one stream i.e. the actual data of the file. You can create alternative streams to add in more information. Interestingly, alternate streams are not listed in Windows Explorer, their size is not included in the file's size and ADSs can be added to folders as well as files. It’s also quite difficult without admin or forensics tools to get to the ADS data.
There aren’t that many good reasons to be honest, and they aren’t used frequently apart from all downloads on a Windows XP – 7 machine (8 unconfirmed). Legitimate uses include:
[ZoneTransfer] ZoneId=3
Use SysInternal's stream.exe or NTSecurity’s lns.exe tools to point to a directory to get any ADSs. They have to be referenced exactly to get the data out.
Once you have the name of the ADS, use a command like so to extract out the ADS data:
mklink ads [file with ads]:[ADS name] && type ads > [outputfile] && del ads
I would not give an extension to the output file as you don’t know what it will be (although Zone.Identifier one’s are text, so you can put in .txt) and then check the file contents first with a hex editor to determine what to use to open it.
Sadly, ADSs only work on NTFS. I have an example of a png ADS for a text file, but this will be stripped out if put into a zip file, emailed, put onto FTP or HTTP server etc. So instead of giving an example to download, here is some further reading:
moving flat doppelgangers Karanga camp self deletion demographics fabric CSS PNG Ian Kendall snob web usability Barafu cloud ADS Routine Activities Theory cases Humyo Asda chew favourites O2 gig cookies digital forensics RIPA backup GPU The Balmoral comedy hacking kill chain Women in Technology laptop case management Brigitte Reusch compSIA. Security+ search timestamps papier mache sausages exam stand-up mobile phones wifi shoes Geocities usability etiquette Number One Firebug Myxomatosis web browser forensics Facebook chat induction Windows 7 web history Woodilee Irari rules iMessage gardening