000033315 - What are Alternate Data Streams for RSA NetWitness Endpoint?

Document created by RSA Customer Support Employee on Sep 26, 2016Last modified by RSA Customer Support Employee on Apr 22, 2017
Version 3Show Document
  • View in full screen mode

Article Content

Article Number000033315
Applies ToRSA Product Set: ECAT, NetWitness Endpoint
RSA Version/Condition: 4.x
IssueThere is an IOC "Executable in ADS" that is built to detect a file created with or appended by an Alternate Data Stream (ADS).
The downloaded file doesn't contain the ADS data.
CauseThe reason is because data is "hidden" or not viewable if the name of the file is specified.
The Alternate Data Stream (ADS) is a little known feature of the NTFS file system.
The link below provides good overview on how it works.
This ADS was implemented in order to allow compatibility with the Macintosh Hierarchical File System (HFS).
The Macintosh file system stores its data in two parts, the resource fork and the data fork.
The data fork is where the data is actually contained and the resource fork is used to tell the operating system how to use the data portion.
In Windows ADS allows hidden files that can be attached to the visible file name.
Below is an example on how to create an empty visible file (ADS_File.txt) with a hidden ADS $DATA stream.  Then how to use the streams.exe program to show the ADS stream.
User-added image
ResolutionA very good blog that provides an overview, and how to read using the Miscrosoft Sysinternals utility "STREAMS.exe" is located below.
WorkaroundThere is no method to disable Alternate File Streams (ADS) unless one stops using the NTFS file system.