I've been working on Alternate Data Streams for a while now. They seem to be a lost and forgotten art of information hiding, but they are far from useless.

First, it's extremely easy to create an Alternate Data Stream on any Windows with NTFS filesystem. Then, all it takes is a little bit of social engineering to persuade someone to give you the host file with the ADS file on an appropriate medium (Ntfs USB or through network via SMB)

A siezed computer where the data is hidden in ADS may be missed by some analysts, simply because it's a forgotten art

I did a simple example on how the attacker may try to steal data via ADS.
www.shortinfosec.net/2...reams.html

From what i found, it's not difficult to find the ADS, with appropriate tools:
Streams.exe from SysInternals:
www.sysinternals.com/n...ml#streams

ADS Spy GUI Scanner:
www.spywareinfo.com/~m...loads.html

But these files work on the live filesystem. Anyone have experience with forensic type tools that discover ADS?

Regards
Bozidar Spirovski

spirovskib wrote:

But these files work on the live filesystem. Anyone have experience with forensic type tools that discover ADS?

I'm not sure what you mean by "discover". GUI-based tools such as ProDiscover will display the filename as is...PD will do so in red. Tools such as TSK fls.exe will output the filename, all you need to do is grep() for any filename with a colon in it.

LADS from Frank Heyne

Fab4 wrote:

LADS from Frank Heyne

LADS runs on a live system.

Encase clearly shows Alternate Data Stream files. I know for a fact Helix Pro finds them - I wrote the NTFS parser.

I cannot comment on whether FTK does - I simply don't remember.

I wouldn't call it a dying art at all to be honest.

As Wardy says, they're clearly visible/searchable etc in EnCase (and things like xways as well no doubt - though havent really tried that myself), can't off they top of my head say that i've had a case where someone has used them to hide stuff yet either.

keydet89 wrote:

LADS runs on a live system.

That'll teach me to read the initial post properly!

Can always run the 'live system' ADS tools on a mounted image of the drive under examination.

The 2nd and 3rd links didn't get me to the information described. Can you fix them?

I agree, tools designed to catch criminals either already have ADS support, or they should add it. Here's one more Windows tool that supports ADS: FI TOOLS (http://www.forensicinnovations.com/fitools.html). It treats them like regular files and provides Text and Hexadecimal previews of them.

I'm not sure I see the point in highlighting them. They are about as common as files with wrong file extensions. Most are not maliciously created. So many files in a Windows installation have creative file extensions that don't exactly match what they are. Most ADS streams are added by the operating system, when properties and metadata are aadded by the user or when files are downloaded through Internet Explorer. To highlight and hunt down all wrong extensions and/or all ADS would typically be a waste of time. Unless you filtered them intelligently, like a search for all files that the user recently downloaded from the Web.

ForensicRob wrote:

I'm not sure I see the point in highlighting them. They are about as common as files with wrong file extensions. Most are not maliciously created. So many files in a Windows installation have creative file extensions that don't exactly match what they are. Most ADS streams are added by the operating system, when properties and metadata are aadded by the user or when files are downloaded through Internet Explorer. To highlight and hunt down all wrong extensions and/or all ADS would typically be a waste of time. Unless you filtered them intelligently, like a search for all files that the user recently downloaded from the Web.

I agree that in most cases, ADS are not maliciously created, and I'm aware of a number of file types and applications that create or utilize ADSs.

Can you describe instances in which the operating system adds ADSs? I ask only because I'm not familiar with this, and having written on ADSs for...wow...almost 10 yrs now, I'm curious to see something new in this area.

Thanks.

Can't/doesn't XP add a stream called encryptable to its thumbs.db's?
Then there's the favicon stream for url's. (although whether thats IE and not considered part of the OS i haven't looked into)
The zone identifier stream when you download files?