Alternate Data Streams (ADS) are a feature of the NTFS file system. NTFS alternate data streams were originally designed to provide compatibility with the Hierarchal File System (HFS) of Mac Systems. Now, they mainly act as a form of text steganography to hide executables or proprietary content by threat agents. For example, they can provide attackers with a method of hiding hacker tools, keyloggers, and so on, on a breached system without being detected.
Why do Alternate Data Streams exist?
Considering the malicious use of alternate data streams, shouldn’t have we really got rid of them? Well, alternate data streams actually have their benefits too, such as:
- Windows Resource Manager leverages ADS to identify high risk files that shouldn’t be accessed.
- The Windows operating system uses ADS to encrypt and store files in a secure manner.
- The Windows Attachment Manager uses ADS as a file scanner. This explains why sometimes you receive warnings when you open a file downloaded from the Internet.
- The SQL Database server uses ADS to maintain database integrity.
- Anti-virus applications, such as Kaspersky, uses ADS to enhance the scanning of files.
- Citrix’s virtual memory uses ADS to boost DLL loading speed
How to create an NTFS Alternate Data Stream
Did you know you make alternate data streams on your Windows computer? Data hiding in NTFS systems just became a whole lot easier! This short tutorial shows you how to navigate the command prompt, how to find alternate data streams in cmd, and use PowerShell to recover and read the content of alternate data streams.
Step One: Run the Command Prompt on your Windows host PC as an administrator
Step Two: Traverse to the root folder of the drive by using the cd / command.
Step Three: Type the following text echo Hello World! > message.txt:hidden
- This creates a text file called message.txt and adds an alternate data stream with the contents “Hello World!”
Step Four: Type the following command dir
- This command displays the directory list. Does your file appear in the list? What’s the file size?
Step Five: Now type dir /R
- This command re-runs the directory listing, but it will also identify any files with a hidden data stream. Your file should be identified as having hidden data.
Step Six: Using the Windows file explorer, navigate to the c:\ and verify that the file you have just created contains no viewable data by opening the file in Notepad.
Step Seven: Command prompt does not have the ability to read the alternate data stream, but a PowerShell script does.
- Click the Windows (start) button and type PowerShell. Select the Windows PowerShell option.
- In the PowerShell window, type the following
- Get-Content -path “c:\message.txt” -stream hidden
Adding a File to an Alternate Data Stream
In this scenario, let’s call your file “example.exe”.
Step One: Ensure you have a command prompt open (running as an administrator)
Step Two: Type the following text type example.exe > c:\file.txt:example.exe
- This creates a new file called file.txt in the root directory of the c:\ with an ADS called example.exe which will contain the file data.
Delete Alternate Data Stream with "streams"
- Again, in this scenario we’ll refer to your file with an alternate data stream “example.exe”.
Step One: Download the streams utility (from here) and unzip the file to a suitable location.
- e.g. c:\streams
Step Two: Open the command prompt (with administrator privileges) and navigate to the folder where you have just unzipped streams.
Step Three: Type the following text streams – d “c:\[navigation folder(s)]\example.exe”
- Where [nagivation folder(s)] is replaced with your file directory.
Step Four: Confirm the ADS has been removed by typing dir /R