Alternate Data Streams
Last updated
Last updated
Alternate Data Streams (ADS) have been around since the introduction of windows NTFS. They were designed to provide compatibility with the old Hierarchical File System (HFS) from Mac which uses something called resource forks.
Basically, ADS can be used to hide the presence of a secret or malicious file inside the file record of an innocent file. That is, when windows shows you a file, say "readme.txt", the metadata that tells your system where to get "readme.txt" may also contain information for "EvilSpyware.exe". Thus, malicious files may be on your system and you cannot see them using normal means.
Windows Resource Manager leverages ADS to identify high risk files that shouldn’t be accessed.
The Windows operating system uses ADS to encrypt and store files in a secure manner.
The Windows Attachment Manager uses ADS as a file scanner. This explains why sometimes you receive warnings when you open a file downloaded from the Internet.
The SQL Database server uses ADS to maintain database integrity.
Citrix’s virtual memory uses ADS to boost DLL loading speed.
Anti-virus applications, such as Kaspersky, uses ADS to enhance the scanning of files.
Check to see what streams the files has. We are able to find hidden files with this. If this was unzipped, we can see where it came from. If it has Zone Identifiers, we can find the URL.
Type 3 Zone Identifiers show the URL the file was downloaded from.
If the HostURL is displaying as about:internet, it was most likely downloaded through HTML Smuggling.
HTML Smuggling:
Traditional Download:
| Browser | Version | Captures URL in ADS |
|---|---|---|
Internet Explorer
11
No
Edge
42.17134
Yes
Chrome
68
Yes
Firefox
61
No
Tor
7.5.6
No
