Is the process of modifying an executable file or data stream by adding additional commands.

Understanding Alternate Data Streams

Alternate Data Streams (ADS) is a virtually unknown compatibility feature of New Technology File System (NTFS) that can provide attackers with a method of hiding hacker tools, keyloggers, and so on, on a breached system and then will allow them execution without being detected. You need to be aware that an attacker does not play by any rules. Nothing is off limits when attempting to breach a system. In so doing, attackers have become very adept at hiding their tracks. Why does ADS exist? ADS capabilities were originally designed to allow for compatibility with the Macintosh Hierarchical File System, HFS, where file information is sometimes inserted, or forked into separate resources. ADS is used for legitimate purposes by a variety of programs including the Windows operating system to store file attribute information and for temporary storage. Directories can also support ADS.

Typically the task of copying a root kit or other hacker tools can be tricky with the products that are installed in most environments, but an attacker that knows how to exploit ADS can be successful if proper security measures are not exercised. You should never underestimate the determination of someone that truly wants to breach your system.

A popular method that attackers use for covering their tracks on Windows-based systems is the use of ADS. The use of ADS provides the capability to store one file in another without outwardly changing the appearance, functionality, or size of the original file. The only modification is the file date, which can be changed by freely available utilities. In Figure 4.6 we have two programs listed, NOTEPAD.exe and BADPROGRAM.exe (a sample hacker tool). The figure illustrates the original states of the files. Then we insert the file BADPROGRAM.exe into NOTEPAD.exe by using the following command: type c:\temp\badprogram.exe > c:\temp\notepad.exe:badprogram.exe. Following along in the figure you will notice that the only thing that has changed about the original file NOTEPAD.exe is the file date. At first glance there is really no way to determine if a file is utilizing the ADS feature. Inspecting the file through a command prompt or Windows explorer does not give you any hint that the file has been modified other than the time stamp.

The next line in the figure shows how the inserted program can be executed by entering: start c:\temp\notepad.exe:badprogram.exe. Running Task Manager now reveals that the file is using ADS as shown in Figure 4.7. Older versions of Windows did not show this and the issue of ADS was even more of a concern because damaging processes could then be executed without fear of detection. Only the most robust of intrusion detection systems will be able to identify and warn of files or processes initiated through an ADS. Moving an ADS to another system that supports ADS will keep the ADS file intact; however, if the file is moved to a system that does not support ADS, then the ADS is automatically destroyed.

Alternate data streams

Alternate data streams (ADSs) are an artifact associated with the NTFS file system that have been around since the implementation of NTFS itself. ADSs were originally meant to provide compatibility with the Macintosh Hierarchal File System (HFS), providing the ability to store resource forks for files shared between Windows NT and Mac systems. ADSs have been covered in great detail in other resources [2], but suffice to say, ADSs can be particularly insidious based on how they can be created and used, and the fact that an analyst may be unaware of or unfamiliar with them. Windows systems contain all of the necessary native tools to create and manipulate ADSs, as well as launch executables and scripts “hidden” in ADSs; however, until recently, Windows systems did not contain any native tools for locating arbitrary ADSs created within the file system. By “until recently,” I mean to say that it wasn’t until Vista was released that the “dir” command, used with “/r” switch, could be used to view arbitrary ADSs. There are also a number of third party tools that you can add to your system or toolkit that will allow you to view ADSs, including Frank Heyne’s command line lads.exe (available from heysoft.de), streams.exe (available from Mark Russinovich’s site at Microsoft), and the GUI-based alternatestreamview.exe, available from nirsoft.net. Any of these tools can be run against a mounted image file, but keep in mind these artifacts are specific to NTFS. If the file system of the imaged system is FAT based, there’s really no point in checking for ADSs.

Note

So why are ADSs an issue? Well, there are a number of files on systems; in many cases, thousands of files. Even when an acquired image is loaded into a commercial forensic analysis application (several of which will highlight ADSs in red font), ADSs may not be immediately visible to the analyst without digging within the directory structure. As we’ve mentioned, they’re definitely not easy to detect on the live system, as the native tools for doing so are very limited. Therefore, while ADSs are simple and were never intended for malicious purposes, like anything else, they can be particularly insidious if an analyst or system administrator simply isn’t familiar with them, and doesn’t even know to look for them.

Warning

On September 20, 2011, an interesting post regarding the creation of “stealth ADSs” appeared on the Exploit-Monday.com web site (the post can be found online at http://www.exploit-monday.com/2011/09/stealth-alternate-data-streams-and.html). The post outlines, in part, how to add an ADS to a file, which was first created using specific names (i.e., NUL, CON; part of the device namespace in Windows). These files can be created by appending “\\?\” to the file path. The author of the post found that neither streams.exe (available from Microsoft at http://technet.microsoft.com/en-us/sysinternals/bb897440) nor the use of “dir/r” (command line switch available on Windows starting with Vista) included the capability of detecting ADSs “attached” to these files, unless the file path was specifically prepended with “\\?\.” The blog post also illustrated how Windows Management Instrumentation could be used to launch executables from within these “stealth ADSs,” illustrating the risk associated with this capability. Michael Hale Ligh (also known as “MHL,” one of the coauthors of The Malware Analyst’s Cookbook) quickly followed with a blog post of his own (found online at http://mnin.blogspot.com/2011/09/detecting-stealth-ads-with-sleuth-kit.html) which illustrated the use of tsk_view.exe (see his blog post for a link to the tool) to detect these stealth ADSs.

How Can We Use Alternate Data Streams to Hide Files?

In order to show how we can use ADS to hide files, we will execute the following experiment (tested on Windows® XP, Windows® 7 and 8.1; screenshots in this experiment were taken using Windows® 8.1, XP, and 7). Create a new folder on the C:\ drive and call it ads. Open the command prompt window and change your working directory to C:\ads. Create a text file called outerfile.txt using DOS as shown in Fig. 4.3.

We marked the content of the file with green, echo, and > command DOS instructions to create a file with the specified contents. The output result will be stored in a file named outerfile.txt. This file will be displayed in C:\ads as it is the current working directory as it appears in the CMD command shell window.

Now we want to create the hidden ADS file. We use the same commands to create another text file. The colon is the syntax used to create an ADS file (see Fig. 4.4). Use the dir command to check all files displayed inside the ads folder as shown in Fig. 4.5.

We see only one file, called outerfile.txt, while the other file (ADS file) is hidden.

The file hidden in the ADS cannot be seen using dir or Windows® Explorer. However, if we use the dir command combined with the /R switch we can see the hidden ADS file (see Fig. 4.6).

Notepad® can open the hidden ADS file and display its content (see Fig. 4.7).

Similarly we can copy one file and encapsulate it inside another file using the ADS command as shown in Fig. 4.8.

The Type command is used to copy the myfile.txt content to be included in the alternative stream of outerfile.txt under the name hiddenfile.txt.

You can make ADSs in not only files, but also directories. See Fig. 4.9 for an example.

From the screen in Fig. 4.9 you will notice that in the first line we created a directory in the C:\ root directory called myfolder. In the second line we changed our working directory to C:\myfolder. In the third line we created a hidden text file (hidden.txt) using the colon: and concealed it inside myfolder as a file stream, which is our working directory. Using the DIR command alone does not show the hidden stream associated with the current directory. We should use the /R switch to make it visible.

NTFS Alternate Data Streams

Another interesting feature of the NTFS file system is alternate data streams (ADS), or “ADSs.” ADSs have been part of the NTFS file system since the first version of Windows NT 3.1 and were included for compatibility with the Macintosh Hierarchal File System (HFS). HFS utilized resource forks for maintaining file metadata, and ADSs provided interoperability when moving files from one file system (HFS) to another (NTFS). ADSs are actually an additional stream associated with a file, and while all versions of Windows include a means for creating arbitrary ADSs (some versions of Windows actually create and use specific ADSs), it wasn't until Windows Vista that native functionality became available for viewing arbitrary ADSs. As of Windows Vista, the ‘dir /r’ command would allow an analyst to search for arbitrary ADSs on a live system. However, Windows systems running the NTFS file system have long had the native ability to create and use arbitrary ADSs.

In order to demonstrate how to create an arbitrary ADS, create a new directory called “ads” (via the DOS md or mkdir command, if you like), open a command prompt to or cd to that directory, and type the following command:

C:\ads>echo "this is an ADS" > myfile.txt:ads.txt

If you type the dir command, you'll see that the file “myfile.txt” exists and is zero bytes in size. We just echo'd a string that is 14 bytes in length into a file (apparently), so where did it go? If we use the ‘type’ command to attempt to view the string we just entered into the ADS, on Windows XP we'll get an error message about the syntax of the command. Type the following command:

C:\ads>notepad .\myfile.txt:ads.txt

When the Notepad window opens, we can see the string we typed in . . . where did it come from? The string was stored in the alternate data stream, which is a file but is denoted by the colon in the name. ADSs can be added or attached to files or to directory listings (using a command such as “C:\ads>:ads.txt”).

Some Windows applications will actually employ specific ADSs. With Windows XP Service Pack 2, the Attachment Manager would add an ADS called “Zone.Identifier” to files downloaded via Internet Explorer or as OutLook attachments. These ADSs were usually no more than 26 or 28 bytes in length and simply identified the files as having been downloaded via zone 3. Whenever a user would attempt to open or execute a downloaded file, they would be presented with a warning, asking if they were sure that they wanted to launch the file in question.

ADSs can also be used to “hide” executable content. On many versions of Windows, executable image files (.exe files) can be hidden in and run from ADSs. Not only will Perl run scripts that are “hidden” in ADSs, but Windows Scripting Host files can also be “hidden” in and run from ADSs.

Again, ADSs are artifacts specific to the NTFS file system. Many commercial forensic applications will display ADSs in red within the graphical user interface (GUI) of the application. Dave Roth [6] has published a Perl script named “listdatastreams.pl” that can be used on a live system to locate ADSs. This script uses Dave's Win32::API::Prototype module and relies on native Windows application programming interface (API) functions.

File Streams

Another aspect of NTFS is its use of file streams, also called alternate data streams (ADSs), to store information. This feature was originally designed to increase compatibility with Macintosh systems, but has grown to be used by “bad guys” and developers alike. As previously mentioned (when talking about the $Secure file), Windows makes use of file streams for some of its record keeping, but ADSs can also be used to hide data. A file held in the ADS of another file has no icon of its own and is not displayed to the user by Windows; however, a user can nonetheless still access a file placed in an ADS and even run it directly from the ADS without having to extract it from its hidden location. Following are the very simple command-line strings used to place a file (an executable, in this case) into the ADS of another file and run the secreted file from that location. The result of this operation is the execution of rootkit.exe, even if the original rootkit.exe file has been deleted in Windows Explorer.

type rootkit.exe > c:\windows\notepad.exe:rootkit.exe

start c:\windows\notepad.exe:rootkit.exe

For that reason, contraband or malicious files (such as this rootkit secreted in an ADS by a hacker) are obviously of interest to an examiner.

Tool Feature: Alternate Data Streams

Although most third-party forensic suites will detect these streams as a normal part of the file system (for example, EnCase describes them as “File, stream”), there are other tools that can provide additional assistance. For example, Streams by Mark Russinovich (http://technet.microsoft.com/en-us/sysinternals/bb897440.aspx) or LADS by Frank Heyne Software (www.heysoft.de/en/software/lads.php?lang=EN) can be quite helpful in locating data in ADSs on a booted system as shown in Figure 5.10.

NTFS Alternate Data Streams

Like HFS+, NTFS also has more than one data segment associated with a file, which are called Alternate Data Streams. As mentioned earlier, an NTFS file consists of attributes; the file's data is also an attribute. Most files on NTFS have only one data attribute; however, unlike HFS+ where there are two data streams, NTFS can have many data streams, because each stream is another attribute of the file. There are many reasons that NTFS supports multiple data streams, one of them being to support Macintosh files (resource forks). However, the ability to support multiple data segments in a file has created the perfect hiding place for attackers wanting to hide data on the file system.

To specify a specific data stream in an NTFS file, separate the filename and the name of the stream with a colon. Using an example similar to the preceding one, you can create a new data stream in a file and add some example data, as follows:

Note that the dir command is not aware of the data stream. If the file were opened with Notepad, the data would be visible. Unlike with HFS+, alternate data streams can be added to directories. To specify the stream for the current directory, leave out a filename. For example:

Again, the dir command would not reveal this newly created stream. Alternate data streams for files do not have permissions for themselves. The permissions that apply to the file are the same when an alternate data stream is accessed. The copy commands in Explorer, as well as with the copy command, maintain alternate data streams as long as the files remain on an NTFS file system. If an alternate data stream for a file is altered, the mtime is also altered.

It is possible to put something into NTFS file streams that could easily reside undetected under normal use. Executables or scripts can be hidden inside images and other types of files, and the administrator probably would not know they exist. No known malicious programs have been known to use alternate data streams, but that is not for a lack of demonstration. Proof-of-concept viruses have been written to bring attention to the fact that this characteristic of NTFS files could be abused.

Alternate Data Streams and Rogue Virtual Machines

Running a script like the ones listed in the section “Detecting Rogue Virtual Machines” (Wolf, 2008) may not find the entire rogue VMs. The fact that scripts look for large files is good because it helps identify hidden data, but what about alternate data streams (ADS)? ADSes are possible due to the structural make up of New Technology File System (NTFS) and the Master File Table (MFT). An optional element is file data streams. NTFS supports multiple data streams. A handle can be opened to each data stream. This feature enables you to manage data as a single unit. These additional streams are perfect hiding places for all type of data including VMs. ADS are covered in most forensics training courses and identified by forensic software.

In the article “How to Detect Rogue Virtual Machines on a Network,” Stagner (2007) provides step-by-step instructions for using ADS to hide VMs. We will walk through that process here using a Windows Server 2003 .vhd file. This is to demonstrate how simplistic the process is and also to trigger the investigative part of your mind if you have to search for rogue VMs. The steps described below should be followed:

Create a new virtual machine.

Place the .vhd file into an alternate data stream.

Point the virtual server to the .vhd file.

First, we'll explain how the ADS is created. In our example, the ADS is produced by opening a command prompt and typing: type Windows_Server_2003.vhd > ads-test.txt:Windows_Server_2003.vhd (Figure 7.3).

Figures 7.4 and 7.5 show the directory before and after the ADS file is created.

If you look closely at the after picture, you will notice that the .vhd file is missing. This is because once it is attached to the “ads-test.txt” file it was deleted. As an investigator, upon running into a directory that is missing the .vhd file, which is a vital part of running a VM, additional investigation is warranted. ADS can be contained in any type of file including a folder.

Once the ADS is created, the last step is modifying the configuration file (.vmc). Notice the last line. It shows that there is a file called “Windows_Server_2003.vhd” attached to an alternate data stream in the file ads-test.txt. Figure 7.6 illustrates what the .vhd path looks like in the configuration file (.vmc) when it is altered to account for the hidden data stream.

Now that the path is modified in the configuration file, the virtual machine is ready to use.

As mentioned above, most commercial forensic software will identify ADS. There are also other tools that can be used such as List Alternate Data Streams (LADS) and Streams. An example of the output from Streams is shown in Figure 7.7.

With case loads high and time being of the essence, ADS may be overlooked. Often we concentrate on keyword searches or look at user-generated documents. Since VMs can be hidden with such a simplistic process, it is important that we check for them.

As mentioned previously, searching for VMs based on extension may not lead us to all rogue VMs. Searching something that is a constant in the use of the VM may produce additional results. In Chapter 6, “Investigating Live Virtual Environments,” the collection of running processes was discussed. In our ADS example, we created a Windows Server 2003 virtual server. When run, this product uses the virtual server service, which is identified as vssrvc.exe. This service creates virtual machines and provides all virtual machine functionality. It is used to project the emulated hardware into the virtual machine environment. In Windows Virtual Server 2005, the virtual server service also includes the Virtual Machine Remote Control (VMRC) server, which uses the VMRC Protocol to allow remote VMRC clients to interact with virtual machines. The default port used for VMRC sessions is port 5900. Any number of tools can be used to acquire running processes, such as psservices.exe. In a live investigation, the presence of vssrvc.exe without an identifiable VM will warrant further investigation.

Examine the File System

A rapid review of certain types of files can quickly lead to information related to a malware incident and provide additional context to volatile data that is collected. Specifically, hidden files, alternate data streams, and files in the Recycle Bin. The HFind and SFind67 utilities in the Forensic Toolkit from Foundstone can be used to locate alternate data streams and files that are hidden from the general user by the operating system and can be listed using HFind. Other tools for locating alternate data streams include, LADS, lns, and streams.68

A list of files that have been placed in the Recycle Bin can be obtained by reading the INFO file using a tool like Foundstone's rifutti.69 However, it is advisable to also “dumpster dive” by actually looking at the contents of the Recycle Bin folder for unusual files and folders that were placed there by malware. Examining Kim's laptop we learn that spoolsv.exe manifested as a hidden file, but no relevant files were discovered in the Recycle Bin or in alternate data streams.

When the timeframe of the malware incident is known, metadata for all files created, modified, or accessed during that period can be obtained using the macmatch.exe70 utility. For instance, the following command lists all files created between March 26 and 28.

The Microsoft LogParser program71 can also be used to extract this information, and this tool is described in more detail in Chapter 4.

Inspect Executables

☑ Determine whether any executables on the compromised system exhibit suspicious or unusual characteristics that might be used to conceal their presence.

► Attackers commonly try to make malware more difficult to find and detect, so often digital investigators can look for common concealment techniques by carefully inspecting executables. This inspection can involve looking for misleading file extensions, packed executables, and alternate data streams.

•

Extension renaming: One of the simplest approaches used to conceal executables on a Windows system is to change the extension to something else.

Packing: Modern malware is often encoded (aka packed) to thwart detection and forensic analysis.

Alternate data streams: Look for executables in an ADS of other files or folders.

Examine the File System

☑ A quick review of certain types of files can reveal relevant information and provide additional context to collected volatile data.

► Identify hidden files, alternate data streams, and files in the Recycle Bin.

•

The HFind and SFind53 utilities in the Forensic Toolkit from Foundstone can be used to locate alternate data streams and files that are hidden from the general user by the operating system and can be listed using HFind.

A list of files that have been placed in the Recycle Bin can be obtained by reading the INFO file using a tool like Foundstone's rifiuti.54

Investigative Considerations

•

Also consider acquiring file system metadata relating to file time stamps for additional temporal context.

❒

When the time frame of the malware incident is known, metadata for all files created, modified, or accessed during that period can be obtained using the macmatch.exe55 utility.

❒

For instance, the following command (Figure 1.24) lists all files created between March 26 and 28 in 2010.

Figure 1.24. Using macmatch.exe