I’ve been doing a lot of research into encrypting data into alternate data streams (what, I was bored one night!). Instead of boring you with more of the same (this topic has been covered extensively by others), I’d like to share some links with you.
One of the best sources I’ve read regarding ADS is Harlan Carvey’s Windows Forensic Analysis 2E. It was my first real exposure to the wonderful world of alternate data streams and file/folder/executable piggy-backing. (Rob Lee mentioned alternate data streams in SANS FOR408, which piqued my interest.)
The Gabro Blog entry on ADS is extremely insightful as well. Although it does say how the ADS has different encryption attributes than the parent. That’s somewhat misleading as you can’t actually EFS-encrypt an ADS at all (trust me, I’ve tried via cipher /E /A and it isn’t… nor does it make too much sense logically). Of course you can encrypt content with something like GPG and then “push” the content into something else with type.
Additional Resources
Quinn Shamblin’s “Alternate Data Streams Overview” (SANS Blog)
Harlan Carvey’s Blog entry on ADS entitled, “NTFS Alternate Data Streams“
0 Comments.