An interesting data hiding technique.

Hello TE community,

I decided to begin posting some training like posts in order to help those of you coming into the security field get a dose of the real world. I’ll start with something known as alternate data streams (or ADS). This is unique to NTFS volumes, and before anybody posts the question, don’t even get me started on speculating why Microsoft included this with the NTFS file system, it’s there, I’m going to explain it and show you how to take advantage of it (and how attackers take advantage of it), and pray that you only use the knowledge for good intentions. I recently did some forensics on a few workstations at a finance company. The suspected person used this technique for....errrr, let's just say the wrong reasons. So don't ever under-estimate the resourcefulness and research skills of end users when they're trying to do something dirty. Remember, google and relay rooms keep no secrets.

Since the earliest creation of NTFS, Microsoft has included support for HFS (an Apple file system). HFS consists of two different arms, a data arm and a resource arm. What does this mean for NTFS? Well a file entry in the MFT (Master File Table), can have additional attributes, mainly additional data streams associated with the primary stream. I’m going to post instructions to demonstrate this to yourselves, and again, don’t misuse this knowledge. You will not need to download any tools, or special software, this is NTFS in it’s native default mode. So let’s go. All commands should be typed exactly as they are displayed in bold.

Go to your command prompt, CD.. all the way to your root (when the prompt reads C:\) then type the following from a command prompt

C:\mkdir techexamstest
Then CD to that directory by typing cd techexamstest

Now type the following exactly as I type it

echo “What is Keatron up to?” >techexamstest.txt

For those of you not to familiar with the command prompt we just instructed your machine to create a text document named techexamstest.txt in the current directory. The text file will contain the text “What is Keatron up to?”. Go ahead and browse to the current directory via explorer, find the file and open to verify that you got it right. Open it and make sure the text is there.

No big deal right? Now type the following at your command prompt.

echo “Now I see how people hide data, and various files by using this technique. I promise not to get myself in trouble with this” >techexamstest.txt:ads.txt (there is a space between the last " and the > symbol)

Now browse to the same directory again and see if you see the file you just created. Not there? Do a dir command from the dos prompt and see if the file shows up……not there again. Now, type the following at the command prompt

notepad techexamstest.txt:ads.txt

The document should open in notepad and have the text in it you typed previously. Where was the file? Why couldn’t explorer see it, why couldn’t you see it listed in dos when you did the dir command? What could be some damaging results of someone maliciously using this functionality?

Needless to say, you need tools to detect and locate these kinds of files. We'll talk more about that later.

Keatron.

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

Slowhand

Wow, that is actually very interesting. . . and useful. I'm going to be playing more with the ADS, and see what comes up. (I don't even want to think of what's hidden on our servers, at work.) Thanks a lot, keatron. Keep those training-like posts comin'.

keatron

Slowhand wrote:

Wow, that is actually very interesting. . . and useful. I'm going to be playing more with the ADS, and see what comes up. (I don't even want to think of what's hidden on our servers, at work.) Thanks a lot, keatron. Keep those training-like posts comin'.

I've actually had nightmares of some nasty perl scripts or shell code being hidden in files waiting for an attacker to come back and make use of.

blackzone

very nice and practical, thanx for sharing.

Opi

LADS

Is a very nice freeware tool that detects ADS.[/url]

eurotrash

With me the file shows up, it simply doesn't display any text (or at least not the text I put in with the ads thing) unless I open it as you said.

keatron

1. Are you using NTFS volume.

2. Are you sure you're seeing the right file. You should see techexamstest.txt, but you shouldn't see techexamstest.txt:ads.txt

keatron

Opi wrote:

LADS

Is a very nice freeware tool that detects ADS.[/url]

And LADS is one of the tools we were going to discuss for detection. Thanks for the input.

eurotrash

keatron wrote:

1. Are you using NTFS volume.

2. Are you sure you're seeing the right file. You should see techexamstest.txt, but you shouldn't see techexamstest.txt:ads.txt

1. Yes.
2. I'll admit I thought it was supposed to be the same file. But how about this:
I created an empty folder, then did the echo "blah" >file.txt:ads.txt (without first creating a normal file) -- the "file.txt" appears, but when opened is empty. However opening it with notepad file.txt:ads:txt produces the hidden text.
Now I know that the visible file is the one created with the :ads.txt, because not only does it appear when I do that command, but when I delete the file I am no longer able to open the :ads.txt file.

From your point 2, it seems you're saying that there should be two files: one visible (techexamstest.txt) and one invisibe (techexamstest.txt:ads.txt).

However I just did it your way again and then deleted the visible file (.txt), after which I was no longer able to open the :ads.txt version.

So what am I missing?

Slowhand

You're not missing anything, that's the way it's supposed to work. The ADS isn't a "seperate file", per say. It's a seperate data stream for the original, visible file.

eurotrash

Ohhhhhhhh

Maybe I should've read the whole post. :P

Slowhand

keatron wrote:

I've actually had nightmares of some nasty perl scripts or shell code being hidden in files waiting for an attacker to come back and make use of.

I think we've all had that dream. Of course, in mine, it's always a clown doing the scripting. . . can't sleep, or clown will hack me. (Yeah, I've been watching too much Simpsons.)

Non-Profit Techie

Thanks Keatron. that is pretty cool. I can hide stuff from my wife now, lol. JK

I can clearly see how stuff like this will make having a secure computer very difficult.

Smallguy

good post... great info

sprkymrk

One thing to keep in mind if you do use a tool that scans for ADS's is that there are some legitimate ones (okay, maybe legitimate is the wrong word) that Windows does create and use. Off the top of my head I think thumbnail images files are one example.

Keatron can you confirm?

Slowhand

I think IE adds some info in the ADS about "transfers from zone 3", (which would be the internet.) Sound about right?

keatron

sprkymrk wrote:

One thing to keep in mind if you do use a tool that scans for ADS's is that there are some legitimate ones (okay, maybe legitimate is the wrong word) that Windows does create and use. Off the top of my head I think thumbnail images files are one example.

Keatron can you confirm?

Yes Mark you're correct, but it's just like scanning the system for ANY types of files to delete; you need to have an idea of what's required and what's extra. Your point simply illustrates the depth of knowledge you need to have as far as the Windows OS before doing a forensic investigation.

Non-Profit Techie

i cant wait for more "secrets"

KGhaleon

That's pretty nifty, but can you view the data with a Hex editor?

KG

keatron

KGhaleon wrote:

That's pretty nifty, but can you view the data with a Hex editor?

KG

That depends on the hex editor. Several of them make claims to be able to view this data, but I've only seen one actually do it.