Alternate Data Streams
What is ADS?
Alternate Data Streams (ADS) have been around since the introduction of windows NTFS. They were designed to provide compatibility with the old Hierarchical File System (HFS) from Mac which uses something called resource forks.
Basically, ADS can be used to hide the presence of a secret or malicious file inside the file record of an innocent file. That is, when windows shows you a file, say "readme.txt", the metadata that tells your system where to get "readme.txt" may also contain information for "EvilSpyware.exe". Thus, malicious files may be on your system and you cannot see them using normal means.
Good of ADS
Windows Resource Manager leverages ADS to identify high risk files that shouldn’t be accessed.
The Windows operating system uses ADS to encrypt and store files in a secure manner.
The Windows Attachment Manager uses ADS as a file scanner. This explains why sometimes you receive warnings when you open a file downloaded from the Internet.
The SQL Database server uses ADS to maintain database integrity.
Citrix’s virtual memory uses ADS to boost DLL loading speed.
Anti-virus applications, such as Kaspersky, uses ADS to enhance the scanning of files.
Show ADS Streams
Check to see what streams the files has. We are able to find hidden files with this. If this was unzipped, we can see where it came from. If it has Zone Identifiers, we can find the URL.
Show Zone Identifier
Type 3 Zone Identifiers show the URL the file was downloaded from.
| Browser | Version | Captures URL in ADS |
|---|---|---|
Internet Explorer | 11 | No |
Edge | 42.17134 | Yes |
Chrome | 68 | Yes |
Firefox | 61 | No |
Tor | 7.5.6 | No |
URL Not Showing Up
If the HostURL is displaying as about:internet, it was most likely downloaded through HTML Smuggling.
HTML Smuggling:
Traditional Download:
Read Contents of Stream
Last updated
