Monday, June 30, 2008

Greyhat Zone: Invisible files in NTFS? Alternate Data Streams explained

Navigation Menu
  1. Introduction
  2. Demonstration 1
  3. ADS uses
  4. Demonstration 2
  5. ADS in-depth
  6. Demonstration 3


For those who use Windows, NTFS is a common knowledge subject. It is a revolutionary file system that supports file security, compression and encryption, among other things. Yet there is a little known "feature" in NTFS that has profound uses (or abuses). It has the ability to almost completely hide data from the user, and possibly some virus scanners and backup utilities. No, I'm not talking about the "Hidden files" attribute, which is easily defeated. In contrast to that attribute, this method is so secretive in nature that unless you were performing computer forensics, you would most likely never notice its existence.

I'm talking about Alternate Data Streams (or ADS). To keep your interest, lets try a simple demonstration.

Windows XP (And Vista):
  1. Start >> Run... (If you don't have Run on your Vista button menu, you can enable it by following this tutorial)
  2. Type in: notepad "%HOMEPATH%\Desktop\test.txt:ADS"
  3. When asked if you want to create a new file, click Yes
  4. In the notepad, type "This is a test of NTFS's Alternate Data Stream feature"
  5. Save the file, don't change file type or file name information, and then close notepad.
  6. As you may have guessed, we have now created a file named "test.txt" on your Desktop. Try opening it now. The text is gone!
  7. Right click the file, and check its properties. The file should have zero file size!
  8. Double click the test.txt on your desktop again so that you may edit it, and add in some text (This is will be used later)
Now I know what you're thinking, "Tim, all you did was make me lose a line of text, I've lost entire hard drives worth of data. That's nothing special!" Hold on, the text isn't lost. Let me explain a little more about what ADS is, and how it works.

For quite some time, Apple's HFS and several other file systems, such as ZFS, have supported what is known as a filesystem fork. A filesystem fork was (and still is) generally used to store metadata about the files they were attached to. In NTFS, ADS is used much the same way, with some rather interesting effects.

For example. Lets say you download an executable file from a website in Internet Explorer. If you're running Windows XP SP2, Internet Explorer will add zone information data into an alternate stream of the executable. This results in Windows being able to mysteriously identify which executables have been downloaded from the internet, as opposed to plopped onto the hard drive from a CD or other media. In short, if you've ever seen this:















Then you've experienced a use of ADS. Windows XP and Vista both use Zone Information stored in alternate data streams to determine if the executable was downloaded from a "Trusted Site" or publisher, and if it can't verify the source as trusted, it pops up this message. Also, you'll see an option to "Unblock" this executable if you bring up the file's properties, along with an explanation stating that the file is from an outside source. Clicking Unblock will delete the zone data in the alternate stream of the file, preventing the warning seen above.



















So how do you access an ADS? Lets go back to that test file again.

Windows XP (And Vista):

  1. Start >> Run...
  2. The previously run command should be in the box already. If not, type notepad "%HOMEPATH%\Desktop\test.txt:ADS"
  3. If done correctly, this'll open up the test.txt:ADS file, and prove that the line of text we typed earlier still exists!
Strangely enough, although the properties of a file with an ADS will not show the size of the ADS, it will update the original file's "Modified: " field whenever the ADS is modified. Also, the amount of "Used Space" on your drive will change to reflect the presence of ADS (After all, even if it's invisible in the file properties, it still must use some disk space). NTFS permissions that are set on the test.txt file will also apply to the ADS, so removing all permissions on test.txt will deny access to both.

So how is the ADS attached to the main file? Well, according to Microsoft (in this article), whenever a file is created, a default unnamed stream is made to store all the data being entered into a file while it is open. Besides this default unnamed stream, additional alternate ones can be created (ADS). Each stream ends with an End of File (EOF) marker, after which the next stream begins.

While it may be apparent that this is a security issue in itself, even more devious is the fact that ADS can be used to store executables in an alternate data stream of, for example, a text file. Doing this from command line (really the only way) would look something like:

C:\> type test.exe > test.txt:secret.exe

Followed by this command to run it:

C:\> start .\test.txt:secret.exe

This could easily be used to hide all kinds of nasty malware on a machine. For the most part though, the risk is relatively low, so long as you can trust those who use your machine (or machines). Since ADS is an NTFS ability (And not likely to be transferable even between other filesystems that support ADS), an ADS will be lost in transfer to another remote location, unless the software making the transfer is aware of ADS data. Additionally, if you're concerned that ADS may be a problem on your computer, SysInternals has a very useful program called Streams that can be used to find alternate data streams. Alternatively, Windows Vista has an updated dir command that can show the presence of an ADS file, by specifying the /R switch.
Posted by at 1 comment:

Friday, June 13, 2008

Intel: The Next Generation

We've all had some experience with Intel's amazing Core 2 micro-architecture in one way or another, whether it's the latest Intel Centrino processors used in our brand new laptops, or our Intel Core 2 Quad Extreme gaming box (You know, the one that would make an environmentalist cry if you told them the amount of power you were consuming per hour?) But in the coming year, Intel will blow Core 2 out of the water with their new architecture, code named Nehalem.

When the Core 2 Duo was first introduced in July of 2006, Intel was quick to produce the claim that it provided a 40% gain in performance over the Pentium D line of processors, while using 40% less power. However, even with the clear advantages of Core 2's architecture, AMD threatened with a supposedly more powerful processor: Phenom. As many of AMD's fans will tell you, Phenom is the first "true" quad-core CPU, as it uses the same wafer for all four cores. This differs from Intel in that Core 2 Quads use more than one wafer to house its multiple cores. Additionally, AMD themselves released a video criticizing Intel's use of a Front Side Bus in its processors, a technology that has been used long past its expiration date. Contrary to the differences in technology used, Core 2 processors still vastly out perform virtually any processor AMD has on the market today.

To solidify their lead, Intel is pushing out the successor to Core 2 in the second half of this year, around the same time that AMD is positioned to release their newest Phenom processors. Unfortunately for AMD, Nehalem is most likely to be vastly superior to any Phenom processor, and here's why:

  • Nehalem will abandon the FSB. In it's place will be QuickPath, Intel's version of AMD's HyperTransport system
  • 2 to 8 cores (Possibly more; source: Wikipedia article)
  • DDR3 RAM (Although AMD's Phenom will have this too)
  • HyperThreading returns! That's right, your OctoCore CPU will have 16 threads logically. I wonder how that'll look in Task Manager?
  • AMD's monolithic argument is no more; all cores will now be manufactured on the same wafer.
  • 45 nm manufacturing process
AnandTech recently reviewed an early version of Nehalem, and had this to say:

"We've been told to expect a 20 - 30% overall advantage over Penryn and it looks like Intel is on track to delivering just that in Q4. At 2.66GHz, Nehalem is already faster than the fastest 3.2GHz Penryns on the market today. At 3.2GHz, I'd feel comfortable calling it baby Skulltrail in all but the most heavily threaded benchmarks. This thing is fast and this is on a very early platform, keep in mind that Nehalem doesn't launch until Q4 of this year."
It's clear that Intel has learned from AMD, and is now giving them a run for their money. Though the future of AMD is now unsure, and Intel's has most likely been cemented, there is only one inevitability to speak of: I'm buying my first HyperThreaded OctoCore Nehalem processor the moment it's available.
Posted by at 1 comment:

Thursday, June 12, 2008

Yavapai College CNT Blog!

Hello students! Welcome to Yavapai College's Computer Networking Technology blog. Many of you already know me, but for those who don't, I'm Tim Snowberger. I work as the lab assistant for Yavapai College's CNT140 - 170 CCNA courses, and as the web / system admin for the yccnt.org website.

I'm going to be updating this blog as often as I possibly can with very valuable tips and tricks for the network technology environment, as well as keeping you up to date with the latest in technology (Believe me, I've got some good stuff you're going to want to read!) I will also throw in some tutorials here and there on various things. Through the magic of blogging, you'll have a chance to ask questions or praise your favorite content so that we may provide more like it.

Don't be afraid to participate!
Posted by at No comments:
Labels: , , , ,
Subscribe to: Posts (Atom)