Tutorial - Alternate Data Streams: The Forgotten Art of Information Hiding

Alternate Data Streams is a feature of the NTFS filesystem. In essence they were created to provide compatibility with HFS, or the old Macintosh Hierarchical File System. The way that the Macintosh's file system works is that they will use both data and resource forks to store their contents. The data fork is for the contents of the document while the resource fork is to identify file type and other pertinent details.



How do you create an ADS? Wonderfully easy: All you need to do is have the two files, and then send the file to be hidden to the ADS of the host file with a simple type command:

type file_to_be_hidden> host_file:name_of_file_to_be_hidden

The most frequent use of ADS for malicious purposes is to conceal the executable of a trojan/rootkit as an Alternate Data Stream (ADS) to a perfectly safe file. For instance, once an attacker penetrates a Windows system, he can easily hide the malicious payload for further access into an executable which is fairly frequently used - like Calculator.

Alternate Data Streams may also be interesting as a mechanism to hide and transport information out of an organization:
Once you include an ADS into a file, there is no visible change in filesize of the host file, only the modified date is changed. This makes it quite difficult to detect the Alternate Streamed file. Also, the ADS file does not change the MD5 hash of the original file, which may prevent systems which control file modification through hashing from detecting the hidden file. Here is an example:

C:\Users\user\Desktop>md5sum test.txt
d41d8cd98f00b204e9800998ecf8427e *test.txt

C:\Users\user\Desktop>type image.jpg>test.txt:image.jpg

C:\Users\user\Desktop>md5sum test.txt
d41d8cd98f00b204e9800998ecf8427e *test.txt

One would think that this method of information hiding is great to transfer any amount of information with an inconspicuous carrier file being sent over a network. But there is a catch: most data carriers will ignore the Alternate Data Stream, and here is the summary list:
  • Zip, RAR or ARJ will simply compress the host file and disregard the ADS
  • MIME and Base64 encoding (e-mail) will ignore the ADS entirely
  • FAT32 (mostly used on USB flash drives) will loose the ADS since it's not supported.
  • Steganography programs will read the bytes of the host file and stop at the EOF
  • FTP and HTTP transfer ignores ADS entirely
  • Recording the
But all is not lost. There are still ways to transfer data with ADS:
  • Transferring the host file over SMB network to an NTFS target retains the ADS hidden file
  • Copying the host file to an NTFS file system transfers the ADS hidden file
So the information theft scenario with ADS is mostly available to employees or trusted persons:
  1. The malicious user will create a legal host file and ADS a file with information to be stolen.
  2. He will convince the manager to take the legal file home to work on over the weekend.
  3. Upon the manager's request, even if USB drives are restricted, IT will copy the file over SMB and onto the employee's USB - which is sparkling clean and conveniently formatted with NTFS.
  4. All logs of the transfer will contain the transfer of the original approved file to the USB

What will you do in such a scenario? Talkback is most welcome!

Related posts
Be Aware of Security Risks of USB Flash Drives
5 biggest mistakes of information security

3 comments:

Sean Reynolds said...

Interesting to review all that has been forgotten along the way.

Anonymous said...

If something is frogotten it is not nececarily safe

Rob Zirnstein said...

We at Forensic Innovations haven't forgotten Alternate Data Streams. Our FI TOOLS (http://www.forensicinnovations.com/fitools.html) product treats them just like regular files, listing them along side their host files.

Contact me directly if you would like a trial registration key for this tool.

Rob Zirnstein
www.ForensicInnovations.com
Rob.Zirnstein@ForensicInnovations.com

Designed by Posicionamiento Web