How do you detect changes in individual NTFS Alternate Data Streams?
Since the introduction of NTFS. Since 1993 NTFS has become quite prevalent in Windows environments, especially in the Enterprise. More background info on ADS:
- http://www.securityfocus.com/infocus/1822
- http://en.wikipedia.org/wiki/Alternate_data_stream
- http://www.windowsecurity.com/articles/Alternate_Data_Streams.html
- http://www.hsc.fr/ressources/breves/ADS.html.fr (in French)
- http://www.symantec.com/connect/articles/what-you-need-know-about-alternate-data-streams-windows
- http://www.flexhex.com/docs/articles/alternate-streams.phtml
For example. If you are running a Citrix server and your ADS detection tool finds a whole bunch of data hidden inside legitimate executables, don’t panic just yet. Read the Citrix documentation on their virtual memory optimization feature:
Changes to the file’s content (the main stream) will result in a different checksum. A new checksum can be calculated and compared to the original one. Various algorithms are used to accomplish this:
To confirm for yourself, take a cursor file from a Windows XP PRO SP3 system,
c:\windows\Cursors\arrow_n.cur
confirm that it has ADS in it, using NirSoft’s AlternateStreamView utility (see link #2 in the “Tools” section above)
save the original file in a test directory as “WITH_ads.cur”
make a copy of the original in the same directory, remove the ADS from it using the NirSoft’s utility and save it as “without_ADS.cur”
then run your favorite checksum calculating utilities against those two files and confirm that both have the SAME checksum, even though one of them has an ADS in it.
These are the screenshots from the tests with various MD5 utilities:
“There are no file times associated with a stream. The file times for a file are updated when any stream in a file is updated.”
Now what? How do I monitor changes in ADS?
- Simply detecting ADS is not good enough. And manually exporting ADS into separate files for further analysis is time consuming.
It seems to me that it would make sense to create a checksum of the file’s content AS WELL as any and all Alternate Data Streams.
Unfortunately, as you can see in the test above, most utilities only calculate checksums of the main data stream, not the alternate ones.
Please comment if you know this last statement to be untrue.
When you’re too lazy or too cheap to get the proper tools to get the job done, write your own!
Back to the basics. C++, that is.
So far, SHA-512 takes 4.5 times as long as MD5…
I’m guessing, I’ll end up dropping down to SHA-256 but enumerating all ADS streams, not just the basic files and directories.