Enter the Rabbit Hole
During an investigation, we came across Microsoft Defender correlating a file to a certain site. We did, however, not find any connections or telemetry that showed any connection to this site.
What we found was that the infected file was moved from a thumb drive onto local disk. Why did MDE connect the link between the file and this particular FQDN then?
The answer was that the Defender Portal showed us information pertaining to MotW and and origin of the file.
What I wanted to find out
What I wanted to find out was
- What is Alternate Data Streams (where MotW resides)
- How can I use this in DFIR
- With a focus on AutoPsy and KAPE; are there any modules/plugins readily available to gather this information
- Can this information be found using Microsoft Defender, Advanced Hunting
Summary
What I found was that is nothing revolutionary of course:
- Although ADS can be used to hide data, ADS remains a NTFS meta data artefact whose primary application within Digital Forensics will be pertaining to Zone.Identifier.
- Output from USN Journal and the Master File Table contains data regarding ADS, which can be easily found because of the naming conventions.
- ADS artefacts are easily analyzed using both cmd and PowerShell, although there exists tools such as SysInternals Streams.
- Microsoft Defender Advanced Hunting has three fields,
FileOriginIP,FileOriginReferrerUrl,FileOriginUrl, within theDeviceFileEVentstable that contains informatin pertaining to Zone.Identifier.
I did, however, not find any ways to find file information with regards to other alternate data streams than Zone.Identifier.
Alternate Data Stream
What is it?
Alternate Date Stream, or ADS, is metadata attached to files within a NTFS file system.
This information is, however, lost upon moving it to a different file system (such as FAT, ext4, etc) or moving the file using an application that is not ADS-aware.
The Alternate Data Stream was originally used for interoperability with MacOS, but has since then served as adding additional data and information to files. Additional data including metadata and zone identifier.
More information about NTFS streams can be found in Microsofts documentation here.
How are the bad guys using ADS?
There is a possibility that they can hide data, malware and the like in an alternate data stream.
It is, however, worth noting that ADS is not something new and a lot of AV vendors know to scan ADS as well as the main data portion of a file. The following blog post at Threatspike outlines this quite well.
Where ADS will come in most cases is as a defense mechanism and as a forensic artefact showing the origin of a file.
How does the defenders use it?
By handling files with “Mark of the Web” accordingly, meaning that applications will correctly handle a file depending on which security zone it was downloaded from.
For instance, Windows will, depending on the context, warn users about to open files or executing binaries from the Internet. Microsoft Office documents with MotW will be opened in Protected mode, adding another layer of security.
We can also see it in the properties of the file: “This file came from another computer and might be blocked to help protect this computer“
Common Alternate Data Streams
Microsoft’s Openspec’s for File system Control Codes outline a few known alternate stream names, one of which is “Zone.Identifier”. which is used as storage of URL security zones.
This ADS provides information about origin zone a file has originated from. In this case, ZoneId 3 a.k.a. Internet.
Other zones are
Zone 0 – Local Machine zone
Zone 1 – Local intranet
Zone 2 – Trusted sites
Zone 3 – Internet
Zone 4 – Restricted sites.
Digital Forensics
I had a focus on KAPE and AutoPsy as far as listing out Alternate Data Streams and especially those of MotW.
While I did not find any special modules, targets or plugins that allowed for a quick overview, the $MFT and USNJournal ($J) does come in handy.
USNJournal
In the USNJournal we can search for “Stream” and “Named” in Update Reasons and find all files that have been subject to a stream change.
Valid Journal update reasons, as per Microsoft would be:
- USN_REASON_STREAM_CHANGE (0x00200000) A named stream is added to or removed from a file, or a named stream is renamed.
- USN_REASON_NAMED_DATA_EXTEND (0x00000020) The one or more named data streams for a file are extended (added to).
- USN_REASON_NAMED_DATA_OVERWRITE (0x00000010) The data in one or more named data streams for a file is overwritten.
- USN_REASON_NAMED_DATA_TRUNCATION (0x00000040) The one or more named data streams for a file is truncated.
As we can see on the photo underneat, it has incurred both a StreamChange as well as a NamedDataExtend following the manual addition of data to an Alternate Data Stream on testzonefile.txt
MFT
The MFT do contain entries with regards to Alternate Data Stream, and since “:” is considered a reserved character in File Name Naming Convention by Microsoft, it makes it perfect to search for in MFT:
We can see files with both Zone.Identifier as well as the result of manually adding files or text to new streams, such as “Spotify”
In some cases the field Zone Id Content within the MFT provide information about the content. Although in my tests, it was a bit hit and miss depending on the content within the stream, so the best bet would be to identify files MFT and manually inspect the files using other tools.
Propagation of MotW
Not all tools propagate the MotW. ISO files in Windows for instance, did not do so until a patch was released in November 2022.
Archive tools do, for the most part, but some still do not propagate MotW or require configuration to do so.
A compiled overview can be found here.
Such an example is for instance 7zip, which is used by many to tarball and password protect files on a compromised host. move files
AutoPsy
AutoPsy is one of the tools that multiple sources on the Internet says can read ADS. However, I did not find any plugin or ingestion module that does so in an easy fashion.
Provided that you ingest an image disk, AutoPsy will list out files, within the directory hierarchy, with an ADS attached to them.
One can also use File Search (Tools > File Search by Attributes) and search for “:” or a specific ADS.
PowerShell & dir
PowerShell and cmd has a few helpful commands to both identify and view content of Alternate Data Streams.
For cmd the following commands can be used.
#To show all files with ADS in a directory
dir /r
#To view the content of ADS:
more < testfile.docx:Zone.Identifier
#To add data to an ADS of a file
echo secretmessage > testfile:ads
In PowerShell we’ll utilise the get-item with the -stream parameter piped to get-content to see the content.
Conversely, we’ll use set-content -stream <stream> -value to add something.
get-item <file> -Stream *
get-item <file> -Stream Zone.Iden* | Get-content
get-item <file> | Set-Content -Stream <StreamName> -Value "SecretStuff"
Microsoft Defender and Advanced Hunting
As far as I was able to ascertain, it would appear that Microsoft Defender do not record telemetry with regards to Alternate Data Stream other than those of Zone.Identifier.
Microsoft Defender Advanced Hunting has three fields, FileOriginIP, FileOriginReferrerUrl, FileOriginUrl, within the DeviceFileEVents table that contains informatin pertaining to Zone.Identifier.
And as far as finding MotW information goes in the portal itself, you’ll only find it on the alert, not device timelines and the like.
Within the context of an alert – yes
Advanced Hunting – yes
Timeline of device – no
Fileinfo – no (Because that is pertaining a file with a certain hash value, not the ntfs metadata)
