nerdexam
GIAC

GCIH · Question #634

As indicated in the following image, an analyst runs the dir and more commands. What can the analyst conclude about Judges.txt?

The correct answer is D. It is an alternate data stream. Using 'dir /r' and 'more' reveals that Judges.txt is stored as an NTFS Alternate Data Stream (ADS) hidden within another file, making it invisible to standard directory listings.

Malware Analysis & Advanced Persistent Threats

Question

As indicated in the following image, an analyst runs the dir and more commands. What can the analyst conclude about Judges.txt?

Exhibit

GCIH question #634 exhibit

Options

  • AThe file size is 35 bytes
  • BThe file is encoded by Quarterly_Results.txt
  • CIt is on a FAT partition
  • DIt is an alternate data stream

How the community answered

(27 responses)
  • B
    7% (2)
  • C
    4% (1)
  • D
    89% (24)

Why each option

Using 'dir /r' and 'more' reveals that Judges.txt is stored as an NTFS Alternate Data Stream (ADS) hidden within another file, making it invisible to standard directory listings.

AThe file size is 35 bytes

The 35-byte value visible in the output reflects the size of the ADS stream itself, not an independent standalone file - it does not indicate Judges.txt is a normal 35-byte file.

BThe file is encoded by Quarterly_Results.txt

Files are not encoded 'by' other files; Quarterly_Results.txt is the host file that contains the ADS named Judges.txt, not an encoder.

CIt is on a FAT partition

FAT (File Allocation Table) partitions do not support Alternate Data Streams - ADS is an NTFS-exclusive feature, so a FAT partition conclusion is technically impossible in this context.

DIt is an alternate data streamCorrect

NTFS Alternate Data Streams allow additional named data streams to be attached to a file without appearing in normal 'dir' output. The 'dir /r' flag exposes ADS entries, and the 'more' command can read them by referencing the stream syntax (e.g., file.txt:Judges.txt). This is a common hiding technique used by attackers to conceal data or malicious payloads inside legitimate-looking files.

Concept tested: NTFS Alternate Data Streams detection and analysis

Source: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-fscc/b134f29a-6278-4f3f-904f-5e58a713d2c5

Topics

#alternate data streams#NTFS forensics#Windows#data hiding

Community Discussion

No community discussion yet for this question.

Full GCIH Practice