(EN) ADS(Alternative Data Stream)

## Introduction ADS is a abbreviation of Alternative Data Stream which designates MFT entry including multiple $DATA attributes In NTFS file system. The introduction of ADS was to initially deal with a special function used in HFS+(Hierarchical File System) in Windows NT environment. Since macOS developed from HFS, we can infer that there is a analogous function in macOS. ADS function is diversely used in various fields and can also be found at certain digital forensic CTFs. When the problem solver does not know what an ADS is, then it will be impossible to even start on the task. As mentioned above, ADS have multiple $DATA streams. It is common for a normal file to have a single $DATA stream. But what if a file owns 2 or more $DATA streams? You might go through various possibilities, but the answer is that two files pretends to be a identical file. You might not get this concept at the first sight. Let’s find out what sort of information resides, how can we make a ADS file, and the difference between normal file. > [!HFS has an ADS?] > In Conclusion, HFS does not support ADS. Same for HFS+. Then why did i mentioned that ADS was initially introduced to solve the software compatibility issue? > > The answer is not for function ADS, but for the function named “resource forks”. Resource fork is a function that saves file’s main data and the meta-data separately. Usually icon, file comment, user attributes used in macOS is saved for the metadata of resource fork. > > Something more about resource fork will be dealt in pages about HFS. ## What is ADS? Let’s talk about the timeline of ADS. ADS was used from Windows NT 3.1. The main purpose was to make fast indexing available by saving tags or keyword, which is a additional data (metadata). A simple history. Isn’t it? After history, it is time to make a precise definition of ADS. In this article, ADS is meant to be the second $DATA stream given in the MFT entry. By this statement, we can infer that the first $DATA stream is the file content that is meant to be. But by this definition, a question passes our mind. “How can we read the second $DATA stream?” By clicking on a file? NO. A general way of clicking a file cannot bring you to the second $DATA stream. You have to either use command line tool to extract a secondary file, or use a sky’s internal program. Using this trait, ADS was used to hide a information or a file in some occasions. From the given sentence above, a file hidden in an another file gives high chance of the file hidden can be used as a malware. In this occasion UAC(User Access Control) or Windows Defender will alert you! So don’t worry too much. Talking about what is an ADS will not touch your bones. Let’s have an example to understand more deeply. ![[MFTENTRY-ads.png]] From the inserted image above, there comes 2 additional $DATA attributes (yellow) after the first $DATA attribute (red). As mentioned before, there can be “multiple” ADS streams present. The number of additional stream is not limited to two. Theoretically there could be a infinite number of streams, However we know what happens when the content in a MFT entry gets booked full. (if you don’t get what happens you are welcome to read an article about [[MFT Attribute (1)]], [[MFT Attribute (2)]] ) ### Making an ADS The next step is about creating a file with extra data streams. As we have talked about this in the introduction section you can use command line or a sysinternals tool to read ADS. The cration of ADS file can be done in the same way. We will be using `cmd.exe` which is most commonly used command line tool. First you have to create a sample file (which is mainly used to save the first $DATA stream) and then you add a colon(`:`) to add a ADS. You might not get it when it is only described in words. Look at the samples given. ``` test.txt:thisisads //this is the format making an ADS file /*if you want to add content to the $DATA stream after the first one,*/ echo "this is my first ads file!" > test.txt:ads1 echo "this is my second ads file!" > test.txt:ads2 ``` In the given example, a character was given as the content, but by using `>` you can use an image for another file as an alternate stream. Making an ADS file is pretty simple. Reading it is also simple too. By using the command ``` dir /r ``` You can see the file name of a ADS file. By using the “FULL” name of an ads file (in this case it will be `test.txt:ads1:$DATA`) retrieving the content is also possible. ![[Dirads.png]] ## Experiment & Sample ### Copying through various Filesystems ADS function is only supported in NTFS filesystems. So when coping a ADS file to a different filesystem is tried, you will get an exception message. `There is an attribute that couldn’t be copied to a new location` #### NTFS -> FAT ![[Fat.png]] #### NTFS -> exFAT ![[Exfat.png]] When you ignore this type of exception, the ADS attribute will be lost. By copying `test.txt` file which has an ADS attribute into a Linux device using EXT4 filesystem and then copying the file back to a Windows device using NTFS filesystem, you will find out that our ADS attribute is gone. (The file name has changed to `testlin.txt`) ![[ADSFILE-copy.png]] ### ADS Sample : Zone.Identifier The most commonly found ADS file is the Zone Identifier file. Zone.Identifiler file is an “Artifact that can track the source of a file which is downloaded from the internet. **Zone Structure** |Zone ID|Source|Description| |---|---|---| |1|Local Intranet|Content influxed via local network| |2|TRUSTED site|Content downloaded by a certificated source| |3|Internet|Content downloaded by Internet| |4|Restricted Site|Content downloaded by a untrusted URL| **Sample** original image (https://pixabay.com/photos/seagull-bird-water-bird-plumage-5969760/) |Browser|Zone ID|ReferrerUrl|HostUrl| |---|---|---|---| |Edge|O|O|O| |Chrome|O|O|O| |Firefox|O|O|O| |IE 11|O|X|X| |Opera|O|O|O| |Whale|O|O|O| ![[CMD-dir.png]] ![[%E1%84%89%E1%85%B3%E1%84%8F%E1%85%B3%E1%84%85%E1%85%B5%E1%86%AB%E1%84%89%E1%85%A3%E1%86%BA_2023-05-07_%E1%84%8B%E1%85%A9%E1%84%92%E1%85%AE_10.43.36.png]] Each browser have different information. Most browsers list web url path of the downloaded content. But Internet Explorer 11 only lists ZoneID. So you may not assume that there is an error even if the original path of the url is absent in IE11. ### ADS Sample : (Malicious Code Execution) > [!NOTE] To Be Done > By our investigation, embedding a executable file is a possible option, But there was an issue that an executable file was recognized as a URL in recent versions of Windows. > > An accurate situation will be discovered and delivered in this section thereafter. ## Conclusion ADS is an artifact where an additional data could be hidden or the origin of download file could be found. By the characteristic that comes from a $DATA attribute, we should have dealt it in the artifacts section, but there are some invaluable data that could be used in the investigation process so it was written in the artifacts section. By researching it deeply, it is correlated with execution of a malware, and the feature could be used in data hiding such as steganography. So if there is a situation that you have to handle such things, I hope that ADS would be a one of the causes that could be analyzed.