Wednesday, October 1, 2014

Alternate Data Streams: Hiding data on Windows 8

In today's lab, we will hide data on Windows 8 using the alternate data streams. To begin, let's create a basic .txt file.

D:\tmp>echo "Hey I'm testing the alternate data streams" > ADS.txt

Let's verify the contents of the file and list the directory contents

D:\tmp>type ADS.txt && dir
"Hey I'm testing the alternate data streams"
 Volume in drive D is DATA
 Volume Serial Number is DE47-DE1A

 Directory of D:\tmp

08/11/2014  06:32 PM    <DIR>          .
08/11/2014  06:32 PM    <DIR>          ..
08/11/2014  06:32 PM                47 ADS.txt
               1 File(s)             47 bytes
               2 Dir(s)   5,574,283,264 bytes free

As can be seen the file ADS.txt is 47 bytes in size. 

  
Let's run  this file through "strings"
strings.exe ADS.txt

Strings v2.5
Copyright (C) 1999-2012 Mark Russinovich
Sysinternals - www.sysinternals.com

"Hey I'm testing the alternate data streams"   
  
Let's go ahead and create an alternate data stream. For this we will save a copy of the securitynik.blogspot.ca website to our local system. Once done, let's view the directory once again.
D:\SECURITYNIK>dir
 Volume in drive D is DATA
 Volume Serial Number is DE47-DE1A

 Directory of D:\tmp

08/11/2014  07:05 PM    <DIR>          .
08/11/2014  07:05 PM    <DIR>          ..
08/11/2014  06:32 PM                47 ADS.txt
08/11/2014  07:04 PM           161,307 securityNik.htm
08/11/2014  07:04 PM    <DIR>          securityNik_files
               2 File(s)        161,354 bytes
               3 Dir(s)   5,569,003,520 bytes free


As can be seen above, "securityNik.htm" file is 161,307 bytes.

To create the alternate data stream we do the following.
D:\tmp>type securityNik.htm >> ADS.txt:ADS_HIDDEN.txt

Let's see what has changed with our original file

D:\tmp>dir
 Volume in drive D is DATA
 Volume Serial Number is DE47-DE1A

 Directory of D:\tmp

08/11/2014  07:26 PM    <DIR>          .
08/11/2014  07:26 PM    <DIR>          ..
08/11/2014  07:26 PM                47 ADS.txt
08/11/2014  07:04 PM           161,307 securityNik.htm
08/11/2014  07:04 PM    <DIR>          securityNik_files
               2 File(s)        161,354 bytes
               3 Dir(s)   5,568,835,584 bytes free
  
Doesn't look like much. By simply using the "DIR" command, we are unable to tell that this file is using an alternate data stream.

Let's investigate this in the next post.


References:
http://blogs.technet.com/b/askcore/archive/2013/03/24/alternate-data-streams-in-ntfs.aspx
http://blogs.technet.com/b/askcore/archive/2010/08/25/ntfs-file-attributes.aspx
http://www.bleepingcomputer.com/tutorials/windows-alternate-data-streams/
http://mh-nexus.de/en/hxd/

1 comment: