Alternate Data Streams (ADS) is a file attribute that allows New Technology File Systems (NTFS) to store different streams of data. In a computer file system, a fork is a set of data that is associated with a file system object. The difference between a file system with forks vs. without forks is that it allows multiple sets of data for the contents where as the file system without forks allows only a single set of data for the content.
This is important in understanding during malware analysis because in NTFS, this can be used for hidden channels for storing information. Every file with data will have at least one fork (default stream). A file is built upon from a couple of attributes, one which we will be going through is the $DATA attribute.
The following is a practical example of how to find hidden data streams in what appears to be a normal file at first glance. Using Windows Command Prompt, I will list the files contained within the "Documents" folder seen below.
As you can see all files listed in the Documents folder (file1-10.txt) are of equal size (43 bytes). By simply adding "/?" to the command "dir", we are given the various options that are available.
Notice the second last option "/R" will display alternate data streams of the file(s) within the Documents folder.
Issuing the command "dir /R" will reveal hidden data. The byte size changes from 43 to 50. To view the contents of the hidden data stream, we can issue the command "notepad file7.txt:hiddensecret.txt".
Issuing the command opens up notepad and presents us with the information that was inside of the secret file. As a side note, Malwarebytes Anti-Malware is one of many pieces of software available that scans and deletes alternate data streams.
Finally, special thanks to Immersive Labs for the awesome lab content. You can continue your cyber skill development with there interactive learning environment here.
1. Hasherezade. "Introduction to ADS – Alternate Data Streams", March 18, 2016. URL: https://hshrzd.wordpress.com/2016/03/19/introduction-to-ads-alternate-data-streams/
2. Microsoft. "How NTFS works", October 08, 2009. URL: https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc781134(v=ws.10)?redirectedfrom=MSDN
3. Immersive Labs. "Immersive Labs", Accessed: September 11, 2019. URL: https://immersivelabs.com/