Alternate Data Streams in Windows
description
Transcript of Alternate Data Streams in Windows
![Page 1: Alternate Data Streams in Windows](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681621e550346895dd24720/html5/thumbnails/1.jpg)
Caleb Walter
Alternate Data Streams in Windows
![Page 2: Alternate Data Streams in Windows](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681621e550346895dd24720/html5/thumbnails/2.jpg)
Created when Microsoft made the NTFS File system in NT 3.1
Made for Compatibility with HFSHFS uses Data Forks ; NTFS uses File
ExtensionsMany Applications use ADS to store
Attributes about filesSummary Files for Text are Prime Example
What is ADS?
![Page 3: Alternate Data Streams in Windows](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681621e550346895dd24720/html5/thumbnails/3.jpg)
Can be used to pass on files attached secretly to othersNot well Known to publicGenerally Hidden from All UsersNot very many AVs can detect them accurately
They can store any size and type of fileCompromised / Corrupted Executable for
Example
ADS for Network Security
![Page 4: Alternate Data Streams in Windows](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681621e550346895dd24720/html5/thumbnails/4.jpg)
ADS can be created in multiple waysCreating an ADS in a File
Hard Drive space goes down, File Size does not
Creating an ADS (File)
![Page 5: Alternate Data Streams in Windows](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681621e550346895dd24720/html5/thumbnails/5.jpg)
First Command creates a File and appends some text to it
Second command confirms that file has correct contents
Third command creates a file inside of that file and has Notepad open itIf ADS is successful Notepad will open a
BLANK notepad file.
Creating ADS (File)
![Page 6: Alternate Data Streams in Windows](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681621e550346895dd24720/html5/thumbnails/6.jpg)
You can also create an ADS within an Entire DirectoryEasier Access to ADS Files as exact navigation
isn’t needed
Creating ADS (Entire Directory)
![Page 7: Alternate Data Streams in Windows](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681621e550346895dd24720/html5/thumbnails/7.jpg)
First Command Creates a Directory with C:\Second Command navigates to said new
DirectoryThird Command writes some text to a file that
will be savedFourth Command opens the File within
NotePadAll Contents should be Visible
Creating an ADS (Entire Directory)
![Page 8: Alternate Data Streams in Windows](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681621e550346895dd24720/html5/thumbnails/8.jpg)
Hiding Text is fun and all, but the real power comes in Hiding Executables
Executables can be both hidden in and remotely executed inside an ADSPerfect Malware Hiding Spot
Using an ADS
![Page 9: Alternate Data Streams in Windows](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681621e550346895dd24720/html5/thumbnails/9.jpg)
First Command creates the file that will have the ADS created
Second Command inserts NotePad executable inside the file
Third Command makes sure that only text appears when the file is opened
Fourth Command confirms that while Notepad was put into the file, the reported file size remains the same
Creating the ADS
![Page 10: Alternate Data Streams in Windows](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681621e550346895dd24720/html5/thumbnails/10.jpg)
There are multiple programs that can be used to find ADS within Windows
These programs tend to be standalone and either use CMD or a GUI to find ADS
Detecting an ADS
![Page 11: Alternate Data Streams in Windows](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681621e550346895dd24720/html5/thumbnails/11.jpg)
ADS Spy is a Handy Tool that can scan for ADS within any level of the Windows operating system (Files, Folders, Directory, Drives)
It can also calculate MD5 Checksum for all scanned Files to check for Integrity
It can also delete the Alternate Data Streams without deleting the basefile
ADS Spy
![Page 12: Alternate Data Streams in Windows](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681621e550346895dd24720/html5/thumbnails/12.jpg)
Select which Scanning width you desireQuick Scan only Scans the C:\Windows folderFull Scan scans all recorded NTFS Drives on
the systemScan Only has you select a specific folder to
scan
Detecting with ADS
![Page 13: Alternate Data Streams in Windows](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681621e550346895dd24720/html5/thumbnails/13.jpg)
Scan Results are shown in the File Box on the bottom of GUIIf ADS are detected you can now choose to
remove them using the “Remove Selected Streams Button”
Creating MD5 Checksum will also show within this box for every ADS Detected
Detecting With ADS Spy cont.
![Page 14: Alternate Data Streams in Windows](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681621e550346895dd24720/html5/thumbnails/14.jpg)
Detecting ADS with ADS Spy
![Page 15: Alternate Data Streams in Windows](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681621e550346895dd24720/html5/thumbnails/15.jpg)
HiJackThis is an award winning tool that can scan and detect the contents of the Windows Registry and Hard Drives
Can Save Log Files and submit then for Online Analysis
Includes Other ToolsStartupListAds SpyHOST File Manager
HiJAckThis
![Page 16: Alternate Data Streams in Windows](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681621e550346895dd24720/html5/thumbnails/16.jpg)
On Main Screen navigate to Misc Tools and select ADS SpyThis is where you will also find all the other
handy HiJackThis Tools; NT Service HOSTS Manager, etc
There are multiple Similar Options here to useQuick ScanIgnore safe System FileCalculate MD5
HiJack This Detection
![Page 17: Alternate Data Streams in Windows](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681621e550346895dd24720/html5/thumbnails/17.jpg)
Detecting with HiJackThis
![Page 18: Alternate Data Streams in Windows](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681621e550346895dd24720/html5/thumbnails/18.jpg)
Results from any scan will show in Data BoxMultiple Options for dealing with new found
filesSave Log to submit for Online Expert AnalysisRemove Selected to remove selected streams
Detecting with HiJackThis
![Page 19: Alternate Data Streams in Windows](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681621e550346895dd24720/html5/thumbnails/19.jpg)
Hiding Executables inside files for Remote Execution Later
Hiding Videos for transport inside a file
Practical Uses for ADS
![Page 20: Alternate Data Streams in Windows](https://reader035.fdocuments.net/reader035/viewer/2022062310/5681621e550346895dd24720/html5/thumbnails/20.jpg)
http://www.irongeek.com/i.php?page=security/altdshttp://www.forensicfocus.com/dissecting-ntfs-hidden-streams
http://www.bleepingcomputer.com/tutorials/windows-alternate-data-streams/
References