1 / 20

Alternate Data Streams in Windows

Alternate Data Streams in Windows. Caleb Walter. What is ADS?. Created when Microsoft made the NTFS File system in NT 3.1 Made for Compatibility with HFS HFS uses Data Forks ; NTFS uses File Extensions Many Applications use ADS to store Attributes about files

bikita
Download Presentation

Alternate Data Streams in Windows

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Alternate Data Streams in Windows Caleb Walter

  2. What is ADS? • Created when Microsoft made the NTFS File system in NT 3.1 • Made for Compatibility with HFS • HFS uses Data Forks ; NTFS uses File Extensions • Many Applications use ADS to store Attributes about files • Summary Files for Text are Prime Example

  3. ADS for Network Security • Can be used to pass on files attached secretly to others • Not well Known to public • Generally Hidden from All Users • Not very many AVs can detect them accurately • They can store any size and type of file • Compromised / Corrupted Executable for Example

  4. Creating an ADS (File) • ADS can be created in multiple ways • Creating an ADS in a File • Hard Drive space goes down, File Size does not

  5. Creating ADS (File) • First Command creates a File and appends some text to it • Second command confirms that file has correct contents • Third command creates a file inside of that file and has Notepad open it • If ADS is successful Notepad will open a BLANK notepad file.

  6. Creating ADS (Entire Directory) • You can also create an ADS within an Entire Directory • Easier Access to ADS Files as exact navigation isn’t needed

  7. Creating an ADS (Entire Directory) • First Command Creates a Directory with C:\ • Second Command navigates to said new Directory • Third Command writes some text to a file that will be saved • Fourth Command opens the File within NotePad • All Contents should be Visible

  8. Using an ADS • Hiding Text is fun and all, but the real power comes in Hiding Executables • Executables can be both hidden in and remotely executed inside an ADS • Perfect Malware Hiding Spot

  9. Creating the ADS • First Command creates the file that will have the ADS created • Second Command inserts NotePad executable inside the file • Third Command makes sure that only text appears when the file is opened • Fourth Command confirms that while Notepad was put into the file, the reported file size remains the same

  10. Detecting an ADS • There are multiple programs that can be used to find ADS within Windows • These programs tend to be standalone and either use CMD or a GUI to find ADS

  11. ADS Spy • ADS Spy is a Handy Tool that can scan for ADS within any level of the Windows operating system (Files, Folders, Directory, Drives) • It can also calculate MD5 Checksum for all scanned Files to check for Integrity • It can also delete the Alternate Data Streams without deleting the basefile

  12. Detecting with ADS • Select which Scanning width you desire • Quick Scan only Scans the C:\Windows folder • Full Scan scans all recorded NTFS Drives on the system • Scan Only has you select a specific folder to scan

  13. Detecting With ADS Spy cont. • Scan Results are shown in the File Box on the bottom of GUI • If ADS are detected you can now choose to remove them using the “Remove Selected Streams Button” • Creating MD5 Checksum will also show within this box for every ADS Detected

  14. Detecting ADS with ADS Spy

  15. HiJAckThis • HiJackThis is an award winning tool that can scan and detect the contents of the Windows Registry and Hard Drives • Can Save Log Files and submit then for Online Analysis • Includes Other Tools • StartupList • Ads Spy • HOST File Manager

  16. HiJack This Detection • On Main Screen navigate to Misc Tools and select ADS Spy • This is where you will also find all the other handy HiJackThis Tools; NT Service HOSTS Manager, etc • There are multiple Similar Options here to use • Quick Scan • Ignore safe System File • Calculate MD5

  17. Detecting with HiJackThis

  18. Detecting with HiJackThis • Results from any scan will show in Data Box • Multiple Options for dealing with new found files • Save Log to submit for Online Expert Analysis • Remove Selected to remove selected streams

  19. Practical Uses for ADS • Hiding Executables inside files for Remote Execution Later • Hiding Videos for transport inside a file

  20. References • http://www.irongeek.com/i.php?page=security/altdshttp://www.forensicfocus.com/dissecting-ntfs-hidden-streams • http://www.bleepingcomputer.com/tutorials/windows-alternate-data-streams/

More Related