Storage & Security

Destruction May Lurk Behind Your Files

Why you need to know about alternative data streams.

By Troy Dunham

IF YOU haven't heard about Microsoft Corp. Windows' "alternate data streams," you will. At the very least, you will hear about the effects of this little-known feature of the Windows NT/2000/XP operating systems.

All of the Windows NT variants (2000 and XP are upgraded versions of NT) use a technology known as "New Technology File System," or NTFS, as their primary method for storage to hard disk. NTFS has many advantages over other methods of hard disk storage. One such feature, "alternate data streams," allows users and programmers to hide files and applications behind the files that can actually be seen on the disk. The ability to hide files behind other files, however, presents a threat to network security officials, as well as to law enforcement and the legal industry.

Recently, security threats have emerged on several fronts. A large security hole in Microsoft's Internet Information Server allowed hackers utilizing alternate data streams to view the normally hidden programming behind Web pages. With this information, malicious hackers could easily break in and even take control of a Web server.

In Sept. 2000, hackers from the Czech Republic released a virus that infects users' computers by hiding in the alternate data stream of another file. Given these threats, and the fact that the criminal element often seems to lead the way in exploiting security flaws, it is not a stretch to imagine a drug-lord or bookie, for instance, hiding the details of his business behind another file ­ in an alternate data stream ­ where he knows that law enforcement is unlikely to look.

Although current industry standard forensic investigation software does detect alternate data streams, some investigative techniques could actually destroy alternate data streams and the evidence they contain.

Background

In order to understand how this storm came upon us, a little background is necessary. Back in 1990, Microsoft introduced NTFS as the preferred file storage system in its Windows NT product. This was done primarily for two reasons: to provide file-level security and to provide a high level of compatibility between different operating systems - specifically, Apple's Macintosh operating system. It is for the latter reason that alternate data streams were incorporated into NTFS.

The Mac OS relies on a similar technology known as "resource forks." Both resource forks and alternate data streams allow users to save additional information about a file in the same place as the file itself. The Mac OS uses resource forks to save data from the file itself in the main prong of the fork while information like the type of icon to be associated with the file saved in an alternate prong of the fork.

Alternate data streams perform the same function, but Microsoft went a step further by allowing a virtually unlimited number of alternate data streams to be associated with one file. In this way, computers running the Windows NT could act as file servers for Macintosh computers because all data associated with a file could be stored on the Windows server.

Alternate data streams remained relegated to this relatively obscure role until the Feb. 2000 release of Windows 2000, which introduced methods that allowed both programmers and users greater access to alternate data streams. When Windows 2000 was released, alternate data streams went mainstream. The trend continued with the release of Windows XP.

Perhaps a cause for greater concern is the fact that alternate data streams appear to be poised to become a part of all file systems used in future versions of Windows. Microsoft Knowledge Base Article Q105763 says, "Future file systems will support a model based on OLE 2.0 structured storage (IStream and IStorage). By using OLE 2.0, an application can support multiple streams on any file system and all supported operating systems (Windows, Macintosh, Windows NT, and Win32s), not just Windows NT." (emphasis added).

Microsoft seems to be saying that, while NTFS may disappear, multiple data streams will remain a part of all future operating systems. Further, since Microsoft has combined their business and home Windows editions into one code base under the Windows XP banner, alternate data streams will soon make their way into nearly every Windows computer.

Avoid Detection

How do alternate data streams avoid detection during forensic investigation or virus scanning. Despite the fact that Windows NT/2000 and XP use slightly different versions of NTFS, all three operating systems handle alternate data streams in substantially the same manner. Every file on an NTFS hard drive contains at least two data streams. When you double-click on a file, the operating system automatically executes the data contained in the "default data stream." (The first alternate data stream contains information such as the file's title, author, and revision number and can only be read by placing a programmatic call from within the operating system. All other data streams, however, can be written and read by simply separating the file name and the ADS name by a colon (e.g. filename.txt:LOVE-LETTER-FOR-YOU.TXT.vbs).

Unless the existence of an alternate data stream is known, with its exact name and spelling, the alternate data stream remains hidden behind the default data stream. This is why nearly all virus scanners fail to identify files contained within alternate data streams.

By default, most programs never look at the alternate data stream; however, most new programs can be redirected to read the alternate, rather than the default data stream. When a file that contains an alternate data stream is loaded into an application or executed, the entire file is read into memory. At this point, a properly configured virus scanner could detect a known virus, but it may be too late and the virus may have already infected other files on the computer.

Similarly, even if a low-level search of a suspected criminal's hard drive proves responsive to certain keywords, common practice usually dictates copying the responsive file to another hard drive. If the responsive file is copied to a hard drive without NTFS, the alternate data streams will be stripped away and the evidence lost.

In my own tests, the latest version of EnCase by Guidance Software easily found keywords contained in an ADS. However, without a thorough technical knowledge of alternate data streams, an investigator may not be able to view the file, or worse, may inadvertently delete it.

Concerns about hidden files are not just scare tactics. You can be affected. For example, I downloaded the original "Love Letter" virus from an FTP site in Denmark. To verify that it was authentic, I scanned it with Norton AntiVirus 2000 using the most recent virus definitions. The program easily identified and repaired the infected file. Even after changing the file extension, the antivirus program was not fooled and identified the infected file.

However, after creating a test file named filename.txt and hiding the virus in an alternate data stream, Norton AntiVirus was no longer able to detect the virus. Perhaps cause for more concern is that, while forensic software is able to find the file in the alternate data stream, the issue may be too new to have a proven standard on how to deal with the technology.

Microsoft has just begun to expand the use of alternate data streams and as a result, law enforcement needs to develop sophistication in the detection of alternate data streams before criminals exploit their use on a wide scale. Antivirus manufacturers need to implement support for alternate data streams as a standard for any product claiming to support Windows NT/2000/XP or any future operating systems capable of storing alternate data streams.

Troy Dunham is manager of information technology with San Francisco's ZIA Information Analysis Group, Inc., which offers information management and forensic analysis for litigation and regulatory matters. He is a "Microsoft Certified Professional."