Careful with that alternate data stream Eugene

Gartner 24 Oct 2020 09:36

Careful with those alternate file streams, Eugene!

One of the things I’ve been researching quite in depth this year has been the Insider Risk Management problem, and I hope to have some useful research notes published quite shortly.

Return of the shuffling hordes. BRAAAIIINSSSS!

There are lots of interesting questions to answer, for example Insider Risk or Insider Threat as a fundamental one, but also moving onto more Cyber-Existentialism such as:

  • What is Insider Risk anyway?
  • Isn’t this just DLP in new shoes?
  • How creepy is this anyway?

and the list goes on. (and on)

But one thing to ask your Insider Risk (or Threat) vendor is whether they can handle (or detect) the use of alternate data streams as a simple steganographic method that (guess what!) is supported natively by Windows NTFS. And you can’t turn it off.

Admiring the problem

The brilliant Sysinternals page at Microsoft tells us:

The NTFS file system provides applications the ability to create alternate data streams of information. By default, all data is stored in a file’s main unnamed data stream, but by using the syntax ‘file:stream’, you are able to read and write to alternates. Not all applications are written to access alternate streams, but you can demonstrate streams very simply.

Continue reading original article...