How to Use Alternate Data Streams in Data Loss Prevention

Learn how to use alternative data streams in NTFS for DLP applications and detection of watermarking files that using a Snort or Suricata IPS rule.

Have you ever wanted to try out alternate data streams in a legitimate data loss prevention case?

I’ve finally had some time this weekend to try out NTFS Alternate Data Streams (ADS) in various network DLP based applications. Although this isn’t really new or surprising to the rest of us security professionals, it is a nifty way to potentially use these technologies in identifying files that may be attempting to leave the perimeter through watermarking. As always, this is merely for informational purposes only, your mileage may vary on applicability and results.

This weekend’s mini project provides readers with the following abilities:

• Allows an administrator to recurse through selected files and automatically add in a hashed string into an alternate data stream for Windows NTFS enabled hosts
• Utilizes a Snort IDS example signature to detect the hash when it is traversing or leaving the network
• General information and cautions using ADS for DLP applications

Why ADS for DLP?

You might be asking why ADS over water-marking a file directly or some other method (perhaps even MiTM packet…