Alternate Data Streams (ADS) - Hidden Data Streams

Alternate Data Streams (ADS) represent a lesser-known but powerful feature inherent to the NTFS file system. It allows more than one data stream to be associated with a single filename. Every file on an NTFS volume possesses a primary, unnamed data stream, conventionally referred to as :$DATA when explicitly named. This stream holds the file's main, expected content – the text in a .txt file, the pixel data in a .jpg, the machine code in an .exe.

However, NTFS allows additional, named data streams to be attached to the very same file entry in the $MFT. For example, a file named MyDocument.txt could have its main text in MyDocument.txt:$DATA and simultaneously have a hidden executable stored in MyDocument.txt:HiddenApp.exe.

This capability can be easily abused to hide data. Malicious code, cheat tools, configuration files, logs, or sensitive information can be stored within an ADS attached to an otherwise innocuous-looking file (like notepad.exe, calc.exe, or a simple .txt or image file). Standard tools like Windows File Explorer do not display the existence or size of these alternate streams by default, making them effectively invisible to casual inspection.

Detecting and examining ADS requires specific commands or dedicated tools:

  • Command Prompt: dir /r will list alternate streams for files in the current directory.

  • PowerShell: Get-Item -Path .\MyDocument.txt -Stream * lists streams for a specific file. Get-Content -Path .\MyDocument.txt -Stream HiddenApp.exe can read stream content (if text-based).

  • Dedicated Tools: Utilities like Nirsoft's AlternateStreamView or Sysinternals' Streams provide GUIs for easily finding, viewing, extracting, and deleting ADS across files and directories.

  • Execution: Executing code hidden in an ADS often requires specific techniques, such as the wmic process call create "C:\path\file.txt:hidden.exe" command, or using utilities like forfiles.

Awareness of ADS is crucial during screenshares, as they represent a common technique for concealing malicious payloads.

Previous$LogFile (Metadata Log) - Specific Log for Metadata ChangesNextFile Attributes (Read-Only, Hidden, etc.) - Manipulable Properties

Last updated