What are alternate data streams?

Alternate data streams (sometimes referred to as ADS) are a way for a user to obscure files that they don’t want appearing within a file browser or a standard DIR listing (albeit they are easily discoverable with the right tools).  ADS is specific to Windows environments, specifically on NTFS filesystems, and has been around since Windows NT (and was most likely created to provide compatibility with HFS – the old Macintosh Hierarchal File System, and not intended for malicious purposes).  From a technical standpoint, alternate data streams are possible because NTFS MFT entries (how NTFS represents and locates files on the filesystem), are each capable of containing multiple $DATA attributes and thus a single MFT entry can actually point to multiple (and possibly unrelated) streams/files.

An alternate data stream is created by the use of a semi-colon separator between the existing filename and the name you’d like to use for your alternate stream.  For example, if I wanted to create/edit a text file contained within an attached to calc.exe (and given I had the rights to modify the MFT entry associated with calc.exe), I would use the following command:

C:\Windows\System32>notepad calc.exe:hiddentext.txt

And you then would be able to edit/save to your newly created stream – as you can see, the alternate stream does not have to be of the same filetype as the discoverable file – so the possible combinations are endless.  One can even place executable files within an alternate data stream using the type command, for example:

C:\Windows\System32>type evilfile.exe > calc.exe:evilfile.exe

Running an executable located within an alternate data stream requires the use of the “start” command (notice that I need to give start a resolvable path, even when I’m in the same directory as a file):

C:\Windows\System32>start .\calc.exe:evilfile.exe

Locating an alternate data strea is straight forward and a number of tools are available that will list them, including the DIR command in Windows Vista and Windows 7 (however, the DIR command still does not list alternate data streams by default).  A sampling of the available tools include:

Additionally, as mentioned above, if you’re running a Windows Vista or Windows 7 workstation, you can run DIR with a /R flag to show the alternate data streams within your current directory.

Utilizing alternate data streams is a very basic method for evading simple forensics techniques and a quick recursive scan looking for alternative data streams can sometimes yield interesting results when dealing with a less sophisticated subject (additionally, malware sometimes uses this technique to obscure related files).  In order to ensure that you don’t miss the low-hanging fruit during your investigation, or the lurking malware, consider adding an alternate data stream discovery step to your standard forensic analysis procedure.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>