In 2008, I wrote a blog entry, Simple Techniques That Fool Forensic Tools, that included an introduction to Alternate Data Streams. Now, I’d like to go into more detail, so that you can better understand the use and danger of Alternate Data Streams (ADS). Microsoft’s New Technology File System (NTFS), was introduced in 1993 to better manage the data on hard drives in Windows NT 3.1. There were features added to compete with Apple’s technologies. One of these technologies was the Alternate Data Stream, which somewhat mimics Apple’s Resource Fork/Data Fork features. Apple used these forks to store a file’s data and resources separately from its formatting and metadata. Each Macintosh file was actually stored as two separate files, that the end user was not aware of.
Microsoft’s version, ADS, didn’t separate any of a file’s contents, but rather added the ability to create separate files/streams that were directly connected to the original file but invisible to the end user. You can create many ADS files attached to a single regular disk file. When the file is copied to a non-NTFS formatted disk, the ADS are all lost and the original/copied file is still useable, because most/all applications don’t actually require the ADS to process the file. Microsoft created some uses for ADS when they released NTFS, but then seemed to drop the practice over time. When I wrote my previous blog post, on this topic, you could use the File Manager file context menu to open a file’s properties and easily add metadata which was stored in an ADS. Now, they have stripped that feature away from the Properties dialog.
Typical ADS
?BnhqlkugBim0elg1M1pt2tjdZe (Document properties; 1st character = U+2663)
?SummaryInformation (Document properties; 1st character = U+2663)
{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} (Document properties)
{59828bbb-3f72-4c1b-a420-b51ad66eb5d3} (Created by XPRESS during remote differential compression)
$ATTRIBUTE_LIST (List of attribute records/streams that do not fit in the MFT record)
$BITMAP (Attribute for Bitmaps)
:$DATA (the reference to the unnamed default/main data stream created to store every file’s primary contents)
$EA (Extended attributes index)
$EA_INFORMATION (Extended attributes information)
$FILE_NAME (Filename)
$I30 (Default name for directory streams)
:$INDEX_ALLOCATION (unnamed default/main directory stream created to store directory’s primary contents)
$INDEX_ROOT (Supports directories and indexes)
$J (User Journal)
$LOGGED_UTILITY_STREAM (Used by an encrypted file system)
$MAX (unknown)
$O (Object Id)
$OBJECT_ID (Unique GUID for an MFT record)
$PROPERTY_SET (No longer used?)
$Q (Quota)
$R (Reparse)
$REPARSE_POINT (Used for a volume mount point)
$SDH (unknown)
$SECURITY_DESCRIPTOR (Stores security ACL and SIDs)
$SII (unknown)
$STANDARD_INFORMATION (File times, quota data, etc.)
$SYMBOLIC_LINK (No longer used?)
$TXF_DATA (Transactional NTFS data)
$VOLUME_INFORMATION (Version and state of the volume)
$VOLUME_NAME (Name of the volume)
$VOLUME_VERSION (Volume’s version; no longer used?)
AFP_AfpInfo (Macintosh data fork)
AFP_Resource (Macintosh resource fork)
encryptable (Created by Windows Shell to store attributes relating to thumbnails in the thumbnails database)
favicon (Created by Windows Internet Explorer to store the favorite icon for a web page)
SmartScreen (on some .EXE files?)
- Anaheim
Zone.Identifier (Created by Windows Internet Explorer, to store the URL security zone on a downloaded file)
- [ZoneTransfer]
- ZoneId=3
- HistUrl…
OECustomProperty (Created by Outlook Express, to store custom properties on an email file)
- ????????1SPS…
Examples
TextFile.txt::$DATA (The Default Data Stream created for the text file.)
TextFile.txt:trojan.exe:$DATA (An evil file attached, that can be executed by calling TextFile.tst:trojan.exe from the command line)
How to create an ADS
>type trojan.exe > TextFile.txt:trojan.exe
>echo Hidden text > TextFile.txt:Hidden.txt
Our FI TOOLS, File Investigator API, and upcoming Dark Data Detective, products support the detection and processing of ADS files. I’ve included web links on a number of the terms here, for further study, as well as on the images to visit their sources.