In the previous post we dealt with hiding data in an alternate data stream. In this post we will try to detect this hiding.
As shown also in the previous post,
simply using the "DIR" command, does not give any indication that you
may be using alternate data streams.
In addition, using a hex editor does
not show any difference between the original file and the one with the
alternate data stream.
So how do we detect this? Let's try a couple of different tools.
1. Let's first start with the tools that are native to Windows.
If
you remember previously I said you cannot simply use the "DIR" command.
However, if you use "DIR /R" you will be able to find your alternate
data streams. Let's do that.
D:\tmp>dir /R
Volume in drive D is DATA
Volume Serial Number is DE47-DE1A
Directory of D:\tmp
08/11/2014 07:26 PM <DIR> .
08/11/2014 07:26 PM <DIR> ..
08/11/2014 07:26 PM 47 ADS.txt
161,307 ADS.txt:ADS_HIDDEN.txt:$DATA
08/11/2014 07:04 PM 161,307 securityNik.htm
08/11/2014 07:04 PM <DIR> securityNik_files
2 File(s) 161,354 bytes
3 Dir(s) 5,568,835,584 bytes free
Now look at that, we have managed to find our alternate data stream and it's name.
Let's try the "streams" tool from the sysinternals suite.
D:\tmp>streams.exe -s d:\tmp
Streams v1.56 - Enumerate alternate NTFS data streams
Copyright (C) 1999-2007 Mark Russinovich
Sysinternals - www.sysinternals.com
d:\tmp\ADS.txt:
:ADS_HIDDEN.txt:$DATA 161307
once again, we see we have data in an alternate data stream.
Let's try one more tool. This one is named LADS.
D:\tmp>lads.exe
LADS - Freeware version 4.10
(C) Copyright 1998-2007 Frank Heyne Software (http://www.heysoft.de)
This program lists files with alternate data streams (ADS)
Use LADS on your own risk!
Scanning directory D:\tmp\
size ADS in file
---------- ---------------------------------
161307 D:\tmp\ADS.txt:ADS_HIDDEN.txt
161307 bytes in 1 ADS listed
Once again, we see that we have an alternate data stream and the path of the file along with its size.
While the this and previous post may be
interesting, alternate data streams is not all that bad. As mentioned
in the "Alternate Data Streams in NTFS" post by John Marlin, Microsoft
uses these for varying reasons by default.
If you would like to see if you have
any alternate data streams on your system (and you more than likely do),
run the following command "C:\>dir /S /R | findstr /i /e $DATA" from
the root of your drive. This will show all the alternate data streams
found.
References:
http://mh-nexus.de/en/hxd/
http://www.heysoft.de/en/software/lads.php?lang=EN
http://technet.microsoft.com/en-ca/sysinternals/bb842062.aspx
http://blogs.technet.com/b/askcore/archive/2013/03/24/alternate-data-streams-in-ntfs.aspx
http://technet.microsoft.com/en-us/library/bb490907.aspx
No comments:
Post a Comment