{"id":130243,"date":"2009-12-02T09:43:00","date_gmt":"2009-12-02T14:43:00","guid":{"rendered":"tag:blogger.com,1999:blog-7196788127833928948.post-8655084031377360918"},"modified":"2009-12-02T09:43:00","modified_gmt":"2009-12-02T14:43:00","slug":"tutorial-alternate-data-streams-the-forgotten-art-of-information-hiding","status":"publish","type":"post","link":"https:\/\/mereja.media\/index\/130243","title":{"rendered":"Tutorial – Alternate Data Streams: The Forgotten Art of Information Hiding"},"content":{"rendered":"

Alternate Data Streams is a feature of the NTFS filesystem. In essence they were created to provide compatibility with HFS, or the old Macintosh Hierarchical File System. The way that the Macintosh’s file system works is that they will use both data and resource forks to store their contents. The data fork is for the contents of the document while the resource fork is to identify file type and other pertinent details.<\/p>\n

\"\"<\/a>
How do you create an ADS? Wonderfully easy: All you need to do is have the two files, and then send the file to be hidden to the ADS of the host file with a simple type command:<\/p>\n

type file_to_be_hidden> host_file:name_of_file_to_be_hidden<\/p><\/blockquote>\n

The most frequent use of ADS for malicious purposes is to conceal the executable of a trojan\/rootkit as an Alternate Data Stream (ADS) to a perfectly safe file. For instance, once an attacker penetrates a Windows system, he can easily hide the malicious payload for further access into an executable which is fairly frequently used – like Calculator.<\/p>\n

Alternate Data Streams may also be interesting as a mechanism to hide and transport information out of an organization:
Once you include an ADS into a file, there is no visible change in filesize of the host file, only the modified date is changed. This makes it quite difficult to detect the Alternate Streamed file. Also, the ADS file does not change the MD5 hash of the original file, which may prevent systems which control file modification through hashing from detecting the hidden file. Here is an example:<\/p>\n

C:\\Users\\user\\Desktop>md5sum test.txt<\/span>
d41d8cd98f00b204e9800998ecf8427e *test.txt<\/span><\/p>\n

C:\\Users\\user\\Desktop>type image.jpg>test.txt:image.jpg<\/span><\/p>\n

C:\\Users\\user\\Desktop>md<\/span>5sum test.txt<\/span><\/span>
d41d8cd<\/span>98f00b204e9800998ecf<\/span>8427e *test.txt<\/span><\/span><\/p><\/blockquote>\n

One would think that this method of information hiding is great to transfer any amount of information with an inconspicuous carrier file being sent over a network. But there is a catch: most data carriers will ignore the Alternate Data Stream, and here is the summary list:<\/p>\n