Alternate Data Streams

Identifying Alternate Data Streams on Windows Server.

Posted by Dennis on September 11, 2019

What are Alternate Data Streams?

Alternate Data Streams (ADS) is a file attribute that allows New Technology File Systems (NTFS) to store different streams of data. In a computer file system, a fork is a set of data that is associated with a file system object. The difference between a file system with forks vs. without forks is that it allows multiple sets of data for the contents where as the file system without forks allows only a single set of data for the content. This is important in understanding during malware analysis because in NTFS, this can be used for hidden channels for storing information. Every file with data will have at least one fork (default stream). A file is built upon from a couple of attributes, one which we will be going through is the $DATA attribute.

Lab Example

The following is a practical example of how to find hidden data streams in what appears to be a normal file at first glance. Using Windows Command Prompt, I will list the files contained within the "Documents" folder seen below.

As you can see all files listed in the Documents folder (file1-10.txt) are of equal size (43 bytes). By simply adding "/?" to the command "dir", we are given the various options that are available.

Notice the second last option "/R" will display alternate data streams of the file(s) within the Documents folder.

By issuing the command "dir /R" we can now see new information that was not initially visible to us. "file7.txt" has an alternate data stream which contains another file named "hiddensecret.txt". The byte size also changed from 43 to 50. To view the contents of the hidden data stream, we can issue the command "notepad file7.txt:hiddensecret.txt".

Issuing the command opens up notepad and presents us with the information that was inside of the secret file. As a side note, Malwarebytes Anti-Malware is one of many pieces of software available that scans and deletes alternate data streams.

Final Thoughts

I hope you enjoyed this quick post about ADS. If you want to continue learning about ADS, I recommend reading hasherezade's blog here. You can also learn more about the NTFS file system here. Finally, special thanks to Immersive Labs for the awesome lab conent. You can continue your cyber skill development with there interactive learning environment here.