An interesting data hiding technique.

keatronkeatron Member Posts: 1,208 ■■■■■■□□□□
Hello TE community,

I decided to begin posting some training like posts in order to help those of you coming into the security field get a dose of the real world. I’ll start with something known as alternate data streams (or ADS). This is unique to NTFS volumes, and before anybody posts the question, don’t even get me started on speculating why Microsoft included this with the NTFS file system, it’s there, I’m going to explain it and show you how to take advantage of it (and how attackers take advantage of it), and pray that you only use the knowledge for good intentions. I recently did some forensics on a few workstations at a finance company. The suspected person used this technique for....errrr, let's just say the wrong reasons. So don't ever under-estimate the resourcefulness and research skills of end users when they're trying to do something dirty. Remember, google and relay rooms keep no secrets.

Since the earliest creation of NTFS, Microsoft has included support for HFS (an Apple file system). HFS consists of two different arms, a data arm and a resource arm. What does this mean for NTFS? Well a file entry in the MFT (Master File Table), can have additional attributes, mainly additional data streams associated with the primary stream. I’m going to post instructions to demonstrate this to yourselves, and again, don’t misuse this knowledge. You will not need to download any tools, or special software, this is NTFS in it’s native default mode. So let’s go. All commands should be typed exactly as they are displayed in bold.

Go to your command prompt, CD.. all the way to your root (when the prompt reads C:\) then type the following from a command prompt

C:\mkdir techexamstest
Then CD to that directory by typing cd techexamstest

Now type the following exactly as I type it

echo “What is Keatron up to?” >techexamstest.txt

For those of you not to familiar with the command prompt we just instructed your machine to create a text document named techexamstest.txt in the current directory. The text file will contain the text “What is Keatron up to?”. Go ahead and browse to the current directory via explorer, find the file and open to verify that you got it right. Open it and make sure the text is there.

No big deal right? Now type the following at your command prompt.

echo “Now I see how people hide data, and various files by using this technique. I promise not to get myself in trouble with this” >techexamstest.txt:ads.txt (there is a space between the last " and the > symbol)

Now browse to the same directory again and see if you see the file you just created. Not there? Do a dir command from the dos prompt and see if the file shows up……not there again. Now, type the following at the command prompt

notepad techexamstest.txt:ads.txt

The document should open in notepad and have the text in it you typed previously. Where was the file? Why couldn’t explorer see it, why couldn’t you see it listed in dos when you did the dir command? What could be some damaging results of someone maliciously using this functionality?

Needless to say, you need tools to detect and locate these kinds of files. We'll talk more about that later.

Keatron.

Comments

  • SlowhandSlowhand MCSE: Cloud Platform and Infrastructure, MCSA: Windows Server 2003/2012/2016, CCNA Routing & Switchi Bay Area, CaliforniaMod Posts: 5,163 Mod
    Wow, that is actually very interesting. . . and useful. I'm going to be playing more with the ADS, and see what comes up. (I don't even want to think of what's hidden on our servers, at work.) Thanks a lot, keatron. Keep those training-like posts comin'.

    Free Microsoft Training: Microsoft Learn
    Free PowerShell Resources: Top PowerShell Blogs
    Free DevOps/Azure Resources: Visual Studio Dev Essentials

    Let it never be said that I didn't do the very least I could do.
  • keatronkeatron Member Posts: 1,208 ■■■■■■□□□□
    Slowhand wrote:
    Wow, that is actually very interesting. . . and useful. I'm going to be playing more with the ADS, and see what comes up. (I don't even want to think of what's hidden on our servers, at work.) Thanks a lot, keatron. Keep those training-like posts comin'.

    I've actually had nightmares of some nasty perl scripts or shell code being hidden in files waiting for an attacker to come back and make use of.
  • blackzoneblackzone Member Posts: 82 ■■□□□□□□□□
    very nice and practical, thanx for sharing.
  • OpiOpi Member Posts: 127
    LADS

    Is a very nice freeware tool that detects ADS.[/url]
  • eurotrasheurotrash Member Posts: 817
    With me the file shows up, it simply doesn't display any text (or at least not the text I put in with the ads thing) unless I open it as you said.
    witty comment
  • keatronkeatron Member Posts: 1,208 ■■■■■■□□□□
    1. Are you using NTFS volume.

    2. Are you sure you're seeing the right file. You should see techexamstest.txt, but you shouldn't see techexamstest.txt:ads.txt
  • keatronkeatron Member Posts: 1,208 ■■■■■■□□□□
    Opi wrote:
    LADS

    Is a very nice freeware tool that detects ADS.[/url]

    And LADS is one of the tools we were going to discuss for detection. Thanks for the input.
  • eurotrasheurotrash Member Posts: 817
    keatron wrote:
    1. Are you using NTFS volume.

    2. Are you sure you're seeing the right file. You should see techexamstest.txt, but you shouldn't see techexamstest.txt:ads.txt
    1. Yes.
    2. I'll admit I thought it was supposed to be the same file. But how about this:
    I created an empty folder, then did the echo "blah" >file.txt:ads.txt (without first creating a normal file) -- the "file.txt" appears, but when opened is empty. However opening it with notepad file.txt:ads:txt produces the hidden text.
    Now I know that the visible file is the one created with the :ads.txt, because not only does it appear when I do that command, but when I delete the file I am no longer able to open the :ads.txt file.

    From your point 2, it seems you're saying that there should be two files: one visible (techexamstest.txt) and one invisibe (techexamstest.txt:ads.txt).

    However I just did it your way again and then deleted the visible file (.txt), after which I was no longer able to open the :ads.txt version.

    So what am I missing? icon_confused.gif
    witty comment
  • SlowhandSlowhand MCSE: Cloud Platform and Infrastructure, MCSA: Windows Server 2003/2012/2016, CCNA Routing & Switchi Bay Area, CaliforniaMod Posts: 5,163 Mod
    You're not missing anything, that's the way it's supposed to work. The ADS isn't a "seperate file", per say. It's a seperate data stream for the original, visible file.

    Free Microsoft Training: Microsoft Learn
    Free PowerShell Resources: Top PowerShell Blogs
    Free DevOps/Azure Resources: Visual Studio Dev Essentials

    Let it never be said that I didn't do the very least I could do.
  • eurotrasheurotrash Member Posts: 817
    Ohhhhhhhh icon_redface.gif

    Maybe I should've read the whole post. :P
    witty comment
  • SlowhandSlowhand MCSE: Cloud Platform and Infrastructure, MCSA: Windows Server 2003/2012/2016, CCNA Routing & Switchi Bay Area, CaliforniaMod Posts: 5,163 Mod
    keatron wrote:
    I've actually had nightmares of some nasty perl scripts or shell code being hidden in files waiting for an attacker to come back and make use of.

    I think we've all had that dream. Of course, in mine, it's always a clown doing the scripting. . . can't sleep, or clown will hack me. (Yeah, I've been watching too much Simpsons.)

    Free Microsoft Training: Microsoft Learn
    Free PowerShell Resources: Top PowerShell Blogs
    Free DevOps/Azure Resources: Visual Studio Dev Essentials

    Let it never be said that I didn't do the very least I could do.
  • Non-Profit TechieNon-Profit Techie Member Posts: 418
    Thanks Keatron. that is pretty cool. I can hide stuff from my wife now, lol. JK ;)

    I can clearly see how stuff like this will make having a secure computer very difficult.
  • SmallguySmallguy Member Posts: 597
    good post... great info
  • sprkymrksprkymrk Member Posts: 4,884 ■■■□□□□□□□
    One thing to keep in mind if you do use a tool that scans for ADS's is that there are some legitimate ones (okay, maybe legitimate is the wrong word) that Windows does create and use. Off the top of my head I think thumbnail images files are one example.

    Keatron can you confirm?
    All things are possible, only believe.
  • SlowhandSlowhand MCSE: Cloud Platform and Infrastructure, MCSA: Windows Server 2003/2012/2016, CCNA Routing & Switchi Bay Area, CaliforniaMod Posts: 5,163 Mod
    I think IE adds some info in the ADS about "transfers from zone 3", (which would be the internet.) Sound about right?

    Free Microsoft Training: Microsoft Learn
    Free PowerShell Resources: Top PowerShell Blogs
    Free DevOps/Azure Resources: Visual Studio Dev Essentials

    Let it never be said that I didn't do the very least I could do.
  • keatronkeatron Member Posts: 1,208 ■■■■■■□□□□
    sprkymrk wrote:
    One thing to keep in mind if you do use a tool that scans for ADS's is that there are some legitimate ones (okay, maybe legitimate is the wrong word) that Windows does create and use. Off the top of my head I think thumbnail images files are one example.

    Keatron can you confirm?

    Yes Mark you're correct, but it's just like scanning the system for ANY types of files to delete; you need to have an idea of what's required and what's extra. Your point simply illustrates the depth of knowledge you need to have as far as the Windows OS before doing a forensic investigation.
  • Non-Profit TechieNon-Profit Techie Member Posts: 418
    i cant wait for more "secrets" :)
  • KGhaleonKGhaleon Member Posts: 1,347
    That's pretty nifty, but can you view the data with a Hex editor?

    KG
    Present goals: MCAS, MCSA, 70-680
  • keatronkeatron Member Posts: 1,208 ■■■■■■□□□□
    KGhaleon wrote:
    That's pretty nifty, but can you view the data with a Hex editor?

    KG

    That depends on the hex editor. Several of them make claims to be able to view this data, but I've only seen one actually do it.
Sign In or Register to comment.