I’m sure it comes as no great shock that I am a member of a number of listserves on digital forensics. One question that seems to come up every few weeks is NTFS Alternate Data Streams. There have been many excellent articles on ADS, so I don’t propose to go heavily into the details here. I will just include an overview and some of the better references. This is a basic overview. If you want more details, check out the links for some really good write-ups.
Alternate Data Streams (ADS) have been around since the introduction of windows NTFS. They were designed to provide compatibility with the old Hierarchical File System (HFS) from Mac which uses something called resource forks.
Basically, ADS can be used to hide the presence of a secret or malicious file inside the file record of an innocent file. That is, when windows shows you a file, say “readme.txt”, the metadata that tells your system where to get “readme.txt” may also contain information for “EvilSpyware.exe”. Thus, malicious files may be on your system and you cannot see them using normal means.
A blackhat on your system can trojanize one of your regular, trusted files and use it to hide their toolkit so that your system will not see it. Or, a criminal may use the technique to hide something on their own system so that others will not readily find it.
To see how easy this is, try it yourself:
There are quite a number of ADS tools out there at the moment, here are a few to get you started.
Enjoy!
