|Applies To||RSA Product Set: ECAT, NetWitness Endpoint|
RSA Version/Condition: 4.x
|Issue||There is an IOC "Executable in ADS" that is built to detect a file created with or appended by an Alternate Data Stream (ADS).|
The downloaded file doesn't contain the ADS data.
|Cause||The reason is because data is "hidden" or not viewable if the name of the file is specified.|
The Alternate Data Stream (ADS) is a little known feature of the NTFS file system.
The link below provides good overview on how it works.
This ADS was implemented in order to allow compatibility with the Macintosh Hierarchical File System (HFS).
The Macintosh file system stores its data in two parts, the resource fork and the data fork.
The data fork is where the data is actually contained and the resource fork is used to tell the operating system how to use the data portion.
In Windows ADS allows hidden files that can be attached to the visible file name.
Below is an example on how to create an empty visible file (ADS_File.txt) with a hidden ADS $DATA stream. Then how to use the streams.exe program to show the ADS stream.
|Resolution||A very good blog that provides an overview, and how to read using the Miscrosoft Sysinternals utility "STREAMS.exe" is located below.|
|Workaround||There is no method to disable Alternate File Streams (ADS) unless one stops using the NTFS file system.|