Date post: | 26-Dec-2015 |
Category: |
Documents |
Upload: | melissa-manning |
View: | 216 times |
Download: | 2 times |
Caleb Walter
Alternate Data Streams in Windows
Created when Microsoft made the NTFS File system in NT 3.1
Made for Compatibility with HFSHFS uses Data Forks ; NTFS uses File
ExtensionsMany Applications use ADS to store
Attributes about filesSummary Files for Text are Prime Example
What is ADS?
Can be used to pass on files attached secretly to othersNot well Known to publicGenerally Hidden from All UsersNot very many AVs can detect them accurately
They can store any size and type of fileCompromised / Corrupted Executable for
Example
ADS for Network Security
ADS can be created in multiple waysCreating an ADS in a File
Hard Drive space goes down, File Size does not
Creating an ADS (File)
First Command creates a File and appends some text to it
Second command confirms that file has correct contents
Third command creates a file inside of that file and has Notepad open itIf ADS is successful Notepad will open a
BLANK notepad file.
Creating ADS (File)
You can also create an ADS within an Entire DirectoryEasier Access to ADS Files as exact navigation
isn’t needed
Creating ADS (Entire Directory)
First Command Creates a Directory with C:\Second Command navigates to said new
DirectoryThird Command writes some text to a file that
will be savedFourth Command opens the File within
NotePadAll Contents should be Visible
Creating an ADS (Entire Directory)
Hiding Text is fun and all, but the real power comes in Hiding Executables
Executables can be both hidden in and remotely executed inside an ADSPerfect Malware Hiding Spot
Using an ADS
First Command creates the file that will have the ADS created
Second Command inserts NotePad executable inside the file
Third Command makes sure that only text appears when the file is opened
Fourth Command confirms that while Notepad was put into the file, the reported file size remains the same
Creating the ADS
There are multiple programs that can be used to find ADS within Windows
These programs tend to be standalone and either use CMD or a GUI to find ADS
Detecting an ADS
ADS Spy is a Handy Tool that can scan for ADS within any level of the Windows operating system (Files, Folders, Directory, Drives)
It can also calculate MD5 Checksum for all scanned Files to check for Integrity
It can also delete the Alternate Data Streams without deleting the basefile
ADS Spy
Select which Scanning width you desireQuick Scan only Scans the C:\Windows folderFull Scan scans all recorded NTFS Drives on
the systemScan Only has you select a specific folder to
scan
Detecting with ADS
Scan Results are shown in the File Box on the bottom of GUIIf ADS are detected you can now choose to
remove them using the “Remove Selected Streams Button”
Creating MD5 Checksum will also show within this box for every ADS Detected
Detecting With ADS Spy cont.
Detecting ADS with ADS Spy
HiJackThis is an award winning tool that can scan and detect the contents of the Windows Registry and Hard Drives
Can Save Log Files and submit then for Online Analysis
Includes Other ToolsStartupListAds SpyHOST File Manager
HiJAckThis
On Main Screen navigate to Misc Tools and select ADS SpyThis is where you will also find all the other
handy HiJackThis Tools; NT Service HOSTS Manager, etc
There are multiple Similar Options here to useQuick ScanIgnore safe System FileCalculate MD5
HiJack This Detection
Detecting with HiJackThis
Results from any scan will show in Data BoxMultiple Options for dealing with new found
filesSave Log to submit for Online Expert AnalysisRemove Selected to remove selected streams
Detecting with HiJackThis
Hiding Executables inside files for Remote Execution Later
Hiding Videos for transport inside a file
Practical Uses for ADS
http://www.irongeek.com/i.php?page=security/altdshttp://www.forensicfocus.com/dissecting-ntfs-hidden-streams
http://www.bleepingcomputer.com/tutorials/windows-alternate-data-streams/
References