6

Alternate File Streams allows a user to embed hidden content within any NTFS file. That file can be a TXT file, or MOV for example. Some may consider this a form of steganography, and therefore the same auditing principals may apply. On the other hand, some applications such as Exchange and SMTP uses these streams extensively for legitimate purposes.

Do Alternate File Streams get any special treatment within your organisation?

What are the main reasons you would, or would not audit AFS file access?

If you scan for these files explicitly, what do you look for? How do you respond?

AviD
  • 72,138
  • 22
  • 136
  • 218
makerofthings7
  • 50,090
  • 54
  • 250
  • 536
  • Though some would consider that "security by obscurity"... Not to say it doesnt have its place. – AviD Dec 01 '10 at 22:45
  • I was thinking more along the lines of protecting against steganography when our corporate goal is clear, auditable,and transparent communication. I don't want to actually use it as a means to protect information. – makerofthings7 Dec 02 '10 at 05:30

1 Answers1

1

I have spoken with folks in a lot of corporates, and the majority are not looking at Alternate File Streams at all. The reason being in all cases that they have far simpler channels that still need to be controlled effectively and no extra budget. One client with a very effective DLP solution disallows any outgoing files or attachments, unless they have been preapproved - so they would be my best candidate to try this, however they don't have the infrastructure to easily implement this.

A problem is that you would need to automate the validity of AFS content - I don't know of anyone who has a solution yet. I guess you could whitelist all the apps that have a valid reason, but then a savvy individual could just use AFS in files associated with these apps.

The more I think about it and compare with other DLP attempts, the more I think it is a major issue unless you migrate extensively to thin clients (eg a fully Citrix'ed environment) or have an environment so locked down users can't get enough access to create AFS.

Rory Alsop
  • 61,367
  • 12
  • 115
  • 320
  • There are some ameliorating factors, data-leak wise, for Alternate Data Streams--for instance, if you write the files to a CD or DVD, the ADS is gone; and if you care at all about DLP you're already blocking flash media. ADS will not transfer with a file by http or ftp. I see ADS as more of a primitive malware hiding issue than a DLP issue. – user502 Dec 13 '10 at 16:57