NT Gatekeeper: Understand Alternate Data Streams

I read on an Internet security forum that the NTFS includes a feature that lets you attach hidden information to files. Hidden in this context means that you can't view the information in Windows Explorer. The forum also mentioned that attackers can misuse this feature to hide malicious information or code on a system. What's this feature, and how can I display the hidden data?

The feature is known as NTFS alternate data streams. An NTFS file always includes a default data stream, the $DATA stream, which includes the file's content. Every NTFS file can also have alternate data streams that, as you mention in your question, Windows Explorer can't see and that attackers can therefore use to hide malicious information or code on your system.

The reason Microsoft included the alternate data stream capabilities in the NTFS was to enable a Windows NT system to act as a file server for Macintosh clients. The Mac OS uses a similar feature, resource forks, to store file metadata (e.g., date and time information). To set up an alternate data stream, type

echo top secret > file.txt:stream1

at a command prompt. This command adds an alternate data stream called stream1 to the file.txt file. To display stream1's contents, type

more < file.txt:stream1

at a command prompt. As Figure 4 shows, this command returns the words top secret, the text you attached to the file in the preceding command.

NTFS alternate data streams are definitely dangerous. You don't want a malicious person to hide anything on any of your organization's core systems (e.g., file servers, Web servers, domain controllers—DCs). The first level of protection you should use is the NTFS access control settings. If attackers can't access a file, they can't create alternate data streams. Remember to be cautious with NT's default Everyone: Full Control permission.

If a malicious person manages to bypass the permissions you've set, you'll need special tools to detect the existence of alternate data streams. System-integrity-checking software, such as the Tripwire integrity checker, can detect any changes (e.g., the addition of or changes to alternate data streams) that occur on a system. (More information about the Tripwire software is available from http://www.tripwiresecurity.com.)

To find out whether files have alternate data streams, you can use the Streams command-prompt utility, which is free and available at the Sysinternals Web site (http://www.sysinternals.com/ntw2k/source/misc.shtml#streams). After you've used Streams to discover a stream's name, you can use the commands I explained earlier to see the stream's content. The Streams utility can check individual files or entire trees of folders and subfolders.

For more information about alternate data streams, see Mark Russinovich, Internals, "Inside Win2K NTFS, Part 2" (http://www.win2000mag.com, InstantDoc ID 15900) and Eugene Kaspersky and Denis Zenkin, "NTFS Alternate Data Streams" (http://www.win2000mag.com, InstantDoc ID 19878).

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.