230 likes | 428 Views
Alternate Data Streams in Windows. Caleb Walter. What is ADS?. Created when Microsoft made the NTFS File system in NT 3.1 Made for Compatibility with HFS HFS uses Data Forks ; NTFS uses File Extensions Many Applications use ADS to store Attributes about files
E N D
Alternate Data Streams in Windows Caleb Walter
What is ADS? • Created when Microsoft made the NTFS File system in NT 3.1 • Made for Compatibility with HFS • HFS uses Data Forks ; NTFS uses File Extensions • Many Applications use ADS to store Attributes about files • Summary Files for Text are Prime Example
ADS for Network Security • Can be used to pass on files attached secretly to others • Not well Known to public • Generally Hidden from All Users • Not very many AVs can detect them accurately • They can store any size and type of file • Compromised / Corrupted Executable for Example
Creating an ADS (File) • ADS can be created in multiple ways • Creating an ADS in a File • Hard Drive space goes down, File Size does not
Creating ADS (File) • First Command creates a File and appends some text to it • Second command confirms that file has correct contents • Third command creates a file inside of that file and has Notepad open it • If ADS is successful Notepad will open a BLANK notepad file.
Creating ADS (Entire Directory) • You can also create an ADS within an Entire Directory • Easier Access to ADS Files as exact navigation isn’t needed
Creating an ADS (Entire Directory) • First Command Creates a Directory with C:\ • Second Command navigates to said new Directory • Third Command writes some text to a file that will be saved • Fourth Command opens the File within NotePad • All Contents should be Visible
Using an ADS • Hiding Text is fun and all, but the real power comes in Hiding Executables • Executables can be both hidden in and remotely executed inside an ADS • Perfect Malware Hiding Spot
Creating the ADS • First Command creates the file that will have the ADS created • Second Command inserts NotePad executable inside the file • Third Command makes sure that only text appears when the file is opened • Fourth Command confirms that while Notepad was put into the file, the reported file size remains the same
Detecting an ADS • There are multiple programs that can be used to find ADS within Windows • These programs tend to be standalone and either use CMD or a GUI to find ADS
ADS Spy • ADS Spy is a Handy Tool that can scan for ADS within any level of the Windows operating system (Files, Folders, Directory, Drives) • It can also calculate MD5 Checksum for all scanned Files to check for Integrity • It can also delete the Alternate Data Streams without deleting the basefile
Detecting with ADS • Select which Scanning width you desire • Quick Scan only Scans the C:\Windows folder • Full Scan scans all recorded NTFS Drives on the system • Scan Only has you select a specific folder to scan
Detecting With ADS Spy cont. • Scan Results are shown in the File Box on the bottom of GUI • If ADS are detected you can now choose to remove them using the “Remove Selected Streams Button” • Creating MD5 Checksum will also show within this box for every ADS Detected
HiJAckThis • HiJackThis is an award winning tool that can scan and detect the contents of the Windows Registry and Hard Drives • Can Save Log Files and submit then for Online Analysis • Includes Other Tools • StartupList • Ads Spy • HOST File Manager
HiJack This Detection • On Main Screen navigate to Misc Tools and select ADS Spy • This is where you will also find all the other handy HiJackThis Tools; NT Service HOSTS Manager, etc • There are multiple Similar Options here to use • Quick Scan • Ignore safe System File • Calculate MD5
Detecting with HiJackThis • Results from any scan will show in Data Box • Multiple Options for dealing with new found files • Save Log to submit for Online Expert Analysis • Remove Selected to remove selected streams
Practical Uses for ADS • Hiding Executables inside files for Remote Execution Later • Hiding Videos for transport inside a file
References • http://www.irongeek.com/i.php?page=security/altdshttp://www.forensicfocus.com/dissecting-ntfs-hidden-streams • http://www.bleepingcomputer.com/tutorials/windows-alternate-data-streams/