Alternate Data Streams (ADS) are nothing new and there are a few ways to detect them within a NTFS filesystem. My tools of choice for detecting an ADS is LADS (List Alternate Data Streams) by Frank Heyne or SysInternals’ Streams… both of which work rather well. My issue though is that I, much like the customer, normally wants to limit and lessen the amount of external tools that are added to any of their systems. Resident to Microsoft Windows, we have a way to do some detection using one of two ways but one provides a little more capability than the other. Let’s check them both out.
The DOS way depicted below will recursively search a directory (/s), search for ADS (/s), and then look at the string “:DATA”.
dir /s /r | find”:DATA”
The PowerShell way is depicted below. Be advised that the cmdlet used below goes back as far as version 2. The –Stream option was not available until version 4.
Get-Item –Path C:\users\me\desktop\* -Stream *
If you just executed these commands, you probably noticed how a number of the files might have popped up matching the
criteria and you are beginning to freak out. Calm down and have no fear, Internet Explorer uses ADS on files downloaded from the web depicting what zone the file was downloaded from (Internet, Local Intranet, Trusted Sites, or Restricted Sites). Those files will be labeled with “:zone.identifier:$DATA”. It is a good idea to comb through the files with zone identifiers as well. The reason being is that is looks harmless but someone could replace the zone data with whatever they want to disguise. If you are doing forensics on the system, the zone identifier could help build your case as well by being able to identify what zone the potentially malicious item was downloaded from (unless someone changed it… a topic best saved for another time). Nonetheless, let’s open a zone identifier file and in order to do that, we will use PowerShell as depicted below.
Get-Content –Path C:\users\me\some_file.exe -Stream zone.identifier
What will be returned is something like the below.
[ZoneTransfer] ZoneId=3
Now that we know our example file was downloaded via zone 3, we now know that is the Internet Zone as depicted in the chart below.
Value Setting
——————————
0 My Computer
1 Local Intranet Zone
2 Trusted sites Zone
3 Internet Zone
4 Restricted Sites Zone