Alternate Data Streams
Last updated
Last updated
Definition
Alternate Data Streams (ADS) are a feature of the NTFS file system that allows data to be stored in hidden streams alongside a primary file. This enables additional information to be attached to a file without altering its main content or metadata. ADS can be used for legitimate purposes, such as storing metadata or indexing information (videos, images, text), but they can also be used to have hidden programs; in our case, we use this to help with viruses.
As some of you are aware, you can hide your files in Windows using hide files. This isn't the same as hiding your file because you're sending the data to a different stream. You can think of an ADS as a substructure of the NTFS file system.
As you see in the image above you can see the stream is completely different from a FAT file system. Most Windows applications are not able to see ADS's. ADSs can alter metadata, store data inside themselves, and be used in DOS attacks.
Alternate Data streams can be very useful for a couple reasons
ADS is not included in the default file size
Does not change a file's checksum
Data is not lost when encoded in Base64, formatted in FAT32, or compressed using ZIP or TAR files
Volume Change Tracking Also introduced in Windows 2000, Microsoft decided to implement volume change tracking NTFS volumes. Volume change tracking allows an application to monitor changes to a volume and take action if necessary. This is very useful for virus-scanners, backup applications, and Microsoftβs File Replication Service which is used by a Distributed File System (DFS). Rather than scanning the entire file system to look for modifications, these applications can be notified by NTFS on updates to the change journal. The change journal is stored in an alternate data stream in one of the twelve special metadata files that are created when a volume is formatted3 . This metadata file stores information about the name of the modified file along with information about what specific change was made.
Unfrontaly, ADS are very well known in the security field regarding virus detection and malware development. AVs do scan for them and are easy to find. Another drawback of ADS is that if you delete the host file, the stream will get deleted. Along with this, forensic programs will be able to see ADSs even if they are deleted on your hard drive. For now, this is all we will talk about, however for greater detail and a much deeper understanding the folks at SANS did a great job at highlighting in much deeper level of ADS's.
Along with the PDF that goes into great detail, the video that John Hammond made linked bellow is also a great one.
The only two ways to access ADSs in the default Windows are with Notepad and Type. The only way in Windows to alter ADSs is with 3rd party software. Some software includes by Microsoft or . I have never used Nirsoft. However, strems works well and is what I will be using for this article.
