Compressed (and Encrypted) Alternate Data Streams

The technique of hiding data within NTFS Alternate Data Streams (aka ADS) has been widely documented and it isn’t something that could take a forensic investigator by surprise. Then about a month ago I came across an article with an extra-ordinary name – Stealth Alternate Data Streams and Other ADS Weirdness, which hinders certain tools from finding the ‘hidden’ streams. You can probably see where I’m going with this… today I read an article titled Detecting and Manipulating Compressed Alternate Data Streams in a Forensics Investigation, unfortunately there's no freely available copy of it, which describes another technique of hiding data.

The article explains that by compressing a file using WinRAR with an option for preserving NTFS streams turned on (Figure 1), which according to this post is the only archiver that supports this technique at the moment, we can evade some of the anti-virus scanners. I also tested it on 7-Zip and WinZip 16.0 but neither of them can handle file streams.

Figure 1. Preserving ADS.

The article, not surprisingly, uses VirusTotal to compare results of scanning the archive by different anti-virus engines. In October 2007, when the research was carried out, only four out of all the supported scanners detected the embedded malicious software. Bearing in mind that it was a few years ago, I couldn’t resist trying it out myself. I firstly created a text file with some random text and then appended a file with an EICAR-TEST file to it. Then I archived the file making sure it includes file streams, and scanned it with an anti-virus which was on my machine but it didn’t detect anything (I used F‑Secure Internet Security 2011 with today’s virus definitions).

Figure 2. The result of scanning a RAR archive with an EICAR-TEST file hidden in a file stream.

I was also curious about how would other anti-virus scanners cope so I uploaded the file to VirusTotal and the detection rate was only 37.2% (Figure 2). But it gets even better… you see, the other WinRAR’s NTFS option reads ‘save file security’. The article doesn’t cover this feature, but I decided to give it a go: I encrypted the file (with a stream) using the NTFS Encryption (aka EFS) feature and then archived it making sure that both of the WinRAR's NTFS options were selected. Guess what, the detection rate was 0% (Figure 3).

I opened the archive with WinRAR on different machine (VM with Windows XP SP3) and the file was in green indicating that it is compressed but when I unpacked it, because the user didn’t have the right encryption key, WinRAR skipped the streams. What was even more surprising, the file extracted without showing any errors what‑so‑ever. Just to clarify, the archive successfully extracts files with streams when opened by the user who created it. It indicates to me that for some weird reason WinRAR has different implementation of compressing encrypted files and their streams: it decrypts files and keeps them in "plain-text" unlike file streams which are stored encrypted.

Figure 3. The result of scanning a RAR archive with an encrypted file stream.

Let’s consider the implications of it. If a suspect had used a RAR archive to hide NTFS Encrypted files then unless the investigator tried to open the archive under the suspect’s account (e.g. using LiveView), or imported the suspect's encryption key on his investigation workstation (I’m not quite sure how and if it’s doable), then he’d have missed the streams. On the other hand, if the archive is suspiciously large compared to its content, it may be a clue to an investigator.




Update (21 Dec 2011): I decided to write a tool that would scan a hard drive for any RAR files to see if they contain any NTFS streams. Before I did it though, I tried again the above-mentioned  method with encrypted NTFS streams. As it turned out, I must have made a mistake when firstly testing this method because WinRAR has a bug which makes it skip NTFS streams of encrypted files. Thus, the 0% detection rate from VirusTotal (because the file wasn't included!).

Update (31 Jan 2012): I've contacted the team behind WinRAR about the issue and this is their response: "Sorry, WinRAR does not support encrypted streams now. It would require another approach like using ReadEncryptedFileRaw instead of BackupRead for encrypted files and it is not implemented. Maybe we'll do it in the future." So as one can infer, it is a known issue and may, or may not, be solved in the future.