Examining NTFS (NT File System) alternate data streams
Sometimes, an attacker will write a file containing malicious code of a non-zero size, but when you examine the contents of the file, it will either be gibberish padding, or entirely blank.
Many junior analysts have fallen victim to this methodology, which hides data in plain sight by assuming that the data they view in the primary data stream is entirely meaningless.
We can utilize our previously collected array of recently written files to check for NTFS alternate data streams and return the contents of any that are outside the normal $:DATA data stream, where the data is stored by default in normal files. Any file with an alternate data stream should be regarded as highly suspect and examined closely by an analyst:
Figure 3.28 – A loop that will return all files that have NTFS ADS
Analysis tip
NTFS also utilizes alternate data streams to store some file metadata – the "...
