NTFS allows additional attributes. ( https://en.wikipedia.org/wiki/NTFS#Alternate_data_streams_.28ADS.29 )
Under Linux :
getfattr
getfattr file.123
getfattr file.123 –only-values > output.bin
Under Windows :
dir /r
streams myfile (Streams exe can be found at Systernals Microsoft)
Add a file to stream : expand mysecretfile.exe myfile:secretfile (this will add mysecretfile.exe to myfile as alternatice streams called secretfile)
Powershell :
Get-Content -Path myfile -stream ‘secretfile’
Add-Content -Path myfile -Value ‘Secret Information’ -Stream ‘secretfile’ (this will add the value ‘Secret Information’ in the extended attribute secretfile of the file myfile )
For Forensics, this can be particulary be interesting, because a few browsers will add metadata in extended attributes called “Zone.Identifier” to files downloaded.
Example : Go to your Download folder
Type : Streams mydownloadedfile.exe
streams v1.60 – Reveal NTFS alternate streams.
Copyright (C) 2005-2016 Mark Russinovich
Sysinternals – www.sysinternals.com
C:\Users\xxxxxx\Downloads\ mydownloadedfile.exe :
:Zone.Identifier:$DATA 146
Then get the content in Powershell :
PS C:\Users\xxxxx\Downloads> Get-Content -Path mydownloadedfile.exe -Stream ‘Zone.Identifier’
[ZoneTransfer]
ZoneId=3
ReferrerUrl=https://www.awebsite.com/
HostUrl=https://www.anotherwebsite.com/php/Download.php?file= mydownloadedfile.exe
Additional Information : Extended attributes on NTFS has been used and is been used in the wild by some Threat groups. Article on MITR : https://attack.mitre.org/techniques/T1096/
Thank you for sharing your thoughts. I truly appreciate your efforts and I will be waiting for your next write ups thank you once
again.