Alternate Data Streams (ADS)

Purpose and Function

Alternate Data Streams (ADS) are a feature unique to the NTFS file system that allows for more than one stream of data to be associated with a single filename. Every file on an NTFS volume has a primary, default data stream, which is technically unnamed but often referred to as :$DATA. This stream holds the file's main, expected content—the text in a .txt file, the pixel data in a .jpg, or the machine code in an .exe.

However, NTFS allows for any number of additional, named data streams to be attached to the very same file entry in the MFT. For example, a file named MyDocument.txt can have its main text content and simultaneously host a hidden executable file in a separate stream, such as MyDocument.txt:HiddenApp.exe.

This feature was originally designed for compatibility with the classic Mac Hierarchical File System (HFS), but it is now rarely used for legitimate purposes by modern applications.

From a DFIR perspective, ADS are a well-known technique used by malware and savvy users to hide data.

Mechanism of Concealment

The power of ADS as a concealment technique lies in its invisibility to standard Windows tools.

  • Invisibility in File Explorer: Windows File Explorer and the standard dir command in Command Prompt do not display the existence or size of alternate data streams by default. A file containing a large hidden payload within an ADS will report its size as if it only contained its primary data stream, making it appear completely innocuous.

  • Creation and Execution:

    • ADS can be easily created using command-line tools. For example, the command type C:\path\to\cheat.exe > C:\path\to\benign_file.txt:hidden.exe will pipe the entire binary content of the cheat into a new stream named hidden.exe attached to benign_file.txt.

    • Executing code hidden in an ADS is not as simple as double-clicking the host file. It requires specific techniques, such as using the wmic process call create "C:\path\to\file.txt:hidden.exe" command, forfiles.exe, or other scripting methods.

Stored Data and Forensic Value

An ADS can contain any type of data, from simple text logs to entire executable binaries, scripts, or configuration files. Their forensic value is directly tied to their use as a hiding mechanism.

  • Hiding Malicious Payloads: This is the most common malicious use. Cheat tools, malware, and scripts can be stored within an ADS attached to a legitimate and unsuspecting file (e.g., notepad.exe, a system DLL, or a simple text file).

  • Concealing Configuration or Log Files: Cheats may use ADS to store their configuration settings or activity logs, hiding them from easy discovery.

  • Zone.Identifier Stream (A Benign Example): One of the few common, legitimate uses of ADS is the Zone.Identifier stream. When a file is downloaded from the internet using a web browser, Windows often adds this stream to the file. It contains metadata indicating that the file came from an untrusted source (the "Internet Zone"), which is what triggers the "Security Warning" prompt when you try to run it. Analyzing this stream can be forensically useful to prove a file's origin.

Detection and Analysis

Detecting and examining ADS requires specific commands or dedicated forensic tools.

  • Command Line:

    • dir /r: Lists alternate data streams for all files in the current directory.

    • PowerShell: Get-Item -Path .\file.txt -Stream * lists all streams for a specific file.

  • Dedicated Tools: GUI-based utilities like Nirsoft's AlternateStreamView or Sysinternals' Streams are essential. They can quickly scan entire directories or drives, listing all files that contain ADS and allowing the analyst to view, extract, or delete the stream's content.

  • USN Journal ($UsnJrnl): The creation, modification, or deletion of an ADS is logged in the USN Journal. These events are often flagged with reason codes like STREAM_CHANGE or NAMED_DATA_OVERWRITE, associated with the host file. Finding such events on an otherwise normal file is a strong indicator of ADS activity.

  • MFT Analysis: The presence of ADS is recorded in the host file's MFT record, typically in the $ATTRIBUTE_LIST attribute if the file has multiple data streams.

Reflection points (SS Contest)

For a ScreenSharer, awareness of ADS is crucial for finding evidence that a player has actively tried to hide.

  • A Classic Hiding Spot: ADS is a go-to technique for hiding cheats. An SSer must scan common user directories (Desktop, Downloads, Temp) and game-related folders for the presence of ADS using a dedicated tool like AlternateStreamView. Finding an unexpectedly large stream, or a stream with an .exe or .dll name, attached to a non-executable file is a major red flag.

  • Execution Evidence: While hiding the file is one thing, executing it is another. If you find a command in the player's command history (e.g., PowerShell history) or a memory dump that uses wmic or forfiles to execute a file with a colon (:) in its path, you have likely found the command used to launch a payload from an ADS.

  • Context from Zone.Identifier: The Zone.Identifier stream can be a useful piece of corroborating evidence. If a suspicious file has this stream, an SSer can view its contents (e.g., with Notepad) to see the HostUrl from which it was downloaded, potentially linking it directly to a known cheat distribution site.

  • Correlating with Journal: If you suspect ADS activity but the files are gone, check the USN Journal for STREAM_CHANGE events on files that were recently modified or deleted. This can prove that ADS were being manipulated, even if you can't recover their content.

PreviousIndex Attributes ($INDX / $i30)NextUser Activity and Knowledge

Last updated