Searching for Alter...
 
Notifications
Clear all

Searching for Alternate Data Streams

16 Posts
8 Users
0 Reactions
4,341 Views
ForensicRob
(@forensicrob)
Eminent Member
Joined: 20 years ago
Posts: 26
 

Here are some examples

"Zone.Identifier" is a stream that Internet Explorer adds to files that are downloaded from the Web. The contents are simple "[ZoneTransfer]<cr><lf>ZoneId=3<cr><lf>" I haven't seen any other ZoneId's used yet.

"AFP_AfpInfo" is a stream related to files copied from a Macintosh system. The contents are binary and start with "AFP". The Mac application codes are at offset 0x10 and 0x14. They could be used to help identify a file if you trust them.

"OECustomProperty" is a stream added by Outlook Express to stor custom properties associated with the file.

"encryptable" is a stream that I have seen added to a few files, but it is always empty, and I don't know yet what is adding it.

"favicon" is an icon attached as a stream on .URL files to hold the icon that the web site uses. This is another stream added by Internet Explorer when you create a shortcut to a web site.

"|Q30lsldxJoudresxAaaqpcawXc" is a stream I've found on some image files. It is a text files encoded as UTF-16BE, and appears to be a thumbnail image of the host file. I think MS Paint may be adding these.

Does anyone have some more examples? I haven't spent much time looking into this yet.


   
ReplyQuote
keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
 

Rob,

Thanks. Most of the examples you gave are ADSs added by various applications, rather than the operating itself.

Your last example is an ADS added to images by the Indexing Service. Many of the other ADSs you mention that are added by applications are covered on pp. 314-320 of WFA 2/e.

Do you have any specific examples of ADSs added by the operating system itself, and not by applications?

Again, thanks for what you've provided so far.


   
ReplyQuote
jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
 

This may come useful
ADS is a utility to help you finding, inspecting and (optionally) removing Alternate Data Streams from your NTFS disks.
http//tp.lc.ehu.es/jma/win95.html
(among many others)
Besides LADS and Streams, this can be nice
http//download.microsoft.com/download/F/C/6/FC6943EB-790A-44AA-B32D-14ED7E22FD5D/NTFSExt.exe

An article right here
http//www.forensicfocus.com/dissecting-ntfs-hidden-streams

And this is a good reference paper.
http//www.sans.org/rr/whitepapers/honors/1503.php

I guess that those thumbnails come from this
http//support.microsoft.com/kb/319300/en-us

jaclaz


   
ReplyQuote
ForensicRob
(@forensicrob)
Eminent Member
Joined: 20 years ago
Posts: 26
 

keydet89,

By saying "added by the operating system", I meant applications that are bundled with each Microsoft OS. While the "encryptable" stream looks like it is directly from the OS (not applications), the rest of my list result from bundled applications and are also non-malicious.

What is "WFA 2/e"? I have a "Windows Forensics" book, but not that one.

I do not have any more examples of ADSs today.

jaclaz,

Those were some good links, thank you.

Rob


   
ReplyQuote
keydet89
(@keydet89)
Famed Member
Joined: 21 years ago
Posts: 3568
 

What is "WFA 2/e"?

Windows Forensic Analysis, second edition
http//www.syngress.com/digital-forensics/Windows-Forensic-Analysis-DVD-Toolkit-Second-Edition/


   
ReplyQuote
(@joeltharas)
Trusted Member
Joined: 16 years ago
Posts: 53
 

Great links Bozidar.
Thanks


   
ReplyQuote
Page 2 / 2
Share: