File Stegano using ADS

File Stegano using ADS

By ghost | 4706 Reads |

0     0

Alternate Data Streams are a largely unused functionality of the Windows NTFS file system. It was initially implemented for support for Macs HFS. The Macintosh Hierarchical File System consists of both a data fork and a resource fork. The data fork is the part that stores the user’s data while the resource fork stores information about the file such as what application was used to create it and thus should be used to open it. Windows, on the other hand only uses the file’s extension to determine what application it should use to open it.

NTFS uses this Mac support by storing the resource fork portion in a hidden stream. This is the Alternate Data Stream. I am not aware of any other program that uses ADS for any legit purposes, however, I may be wrong. As an FYI, *nix file systems do not support ADS.

Now that the boring stuff is over, lets get into it’s practical hacking application. ADS can be used to hide text, other data such as mp3s or videos, and even executables in the alternate stream of a normal file. It becomes a form of steganography. The cool thing is, the file size does not change. This means that if you put two files side by side, one containing regular data and the other containing the same data plus data hidden in the ADS, the two file sizes will be identical. This is unlike image stegano, where a picture hidden inside another picture will change the file size.

Another great feature is that you can view the file using notepad, Word, a hex editor, etc, and you would have no idea that there was information hidden inside the ADS.

From a Forensic standpoint, the only way to identify files that have info in their ADS is to run Encase, FTK, or a stand-alone ADS scanner like LADS against the files.

Let try it out:

Create a text file that contains Hello World:

C:\>echo “Hello World” > ADS.txt

C:\>more < ADS.txt “Hello World”

Creating some hidden text in the ADS:

C:\>echo “This is an ADS example” > ADS.txt:ads

C:\>more < ADS.txt:ads “This is an ADS example”

As you can see, opening up the file in the normal way will display the normal text. However, if you open up the file and indicate the name of the ads you created after the file name, your ADS stream will open up.

Now, lets hide an executable in a regular text file:

Create a text file with some text

C:\>echo “ADS .exe test” > ADS2.txt

C:\>type ADS2.txt “ADS .exe test”

Lets now hide the calculator executable inside our text file

C:\>type c:\WINDOWS\system32\calc.exe > ADS2.txt:calc.exe

We can now start the calculator using the start command

C:\>start .\ADS2.txt:calc.exe

Yahtzee!!! The calculator pops up! Think about some other types of files you can hide inside a benign text file? There are so many practical uses.

Enjoy the many practical ways you can use this technology on your system or someone else’s ;)