Tuesday, November 22, 2005

"Practical Guide to Alternative Data Streams in NTFS"

Practical Guide to Alternative Data Streams in NTFS

"Alternative Data Stream support was added to NTFS (Windows NT, Windows 2000 and Windows XP) to help support Macintosh Hierarchical File System (HFS) which uses resource forks to store icons and other information for a file. While this is the intended use (as well as a few Windows internal functions) there or other uses for Alternative Data Streams that should concern system administrators and security professionals. Using Alternative Data Streams a user can easily hide files that can go undetected unless closely inspection. This tutorial will give basic information on how to manipulate and detect Alternative Data Streams. ..."

ADS is something I need to start looking at and thinking about.

This Guide is a nice intro into ADS, providing understandable info-chunks as well as links to additional information and utilities.

One cool free ADS utility that's not listed in the guide is Stream Explorer.
"Stream Explorer will show you the number of streams in each file as they are listed per folder.

When you select a directory entry, Stream Explorer will list all the streams in that entry, and you can see their type, their size and contents. The unnamed stream is shown as . "



The guide doesn't talk about is how ADS is used by Windows XP+ to identify files that have been downloaded from different "Zones" than the host computer is on (i.e. files you download off the internet). The
"Zone.Identifier" stream is used by Windows to remember to prompt/warn the user each time the file is launched. Here and here is a little more info on this...

(via Microsoft Switzerland Security Blog - Practical Guide to Alternative Data Streams in NTFS)