Alternative Data Streams in NTFS

4 min readJul 28, 2020

Alternative Data Stream (ADS) support was added to NTFS (Windows NT, Windows 2000 and Windows XP) to help support Macintosh Hierarchical File System (HFS) which uses resource forks to store icons and other information for a file. ADS provide the ability to put data into existing files and folders without affecting their functionality and size. Alternate data streams allow files to contain more than one stream of data. Every file has at least one data stream. In Windows, this default data stream is called :$DATA.

Using Alternative Data Streams, a user can easily hide files that can go undetected unless closely inspection. This ADS have been given a bad reputation because their capability to hide data from us on own computer, has been abused by malware writers in the past.

Example

First create an empty folder which call ADS Particle

2.Then create text file in folder

3.Now create ads file

The colon (:) tells Windows to attach ads.txt to text1.text as an ADS. Any time see an extra colon in a pathname, it can be dealing with an alternate data stream.

File is created but not shown in dir command or even folder. No change was in file size.

text1.txt is not changed. If text1.text file is copy or move, the hidden data transfer with it.

4.Detect ADS File

There are lot of manual and automated tools (sysinternals Steam, ADS Manager, FlexHEX, FTK image) to detect ADS files. In this Article, used ADSSpy v1.1 tool. ADS spy has feature to select scan types. Select the created folder to analyze and select scan. ADS fie detected output area. After right click and select View. ADS file contain will display as below.

Additional

Also, can hide a .exe or other files using ADS. As it turns out, using ADS to hide executables is not much harder than it is to hide text files. ADS make for a great way for malware to hide itself on a system. Here’s an example of how and executable can be hidden behind another file: