Alternate Data Stream

Last Update: August 25, 2021

Alternate Data Streams

Are you interested in Alternate Data Streams? It is a feature offered by the NTFS file system. In this post, Bestitguide will introduce this feature to you and show you how to use/manage it.

What Are Alternate Data Streams

Alternate Data Streams (ADS) is a file attribute only found on the NTFS file system. It allows each file in the NTFS file system to have multiple data streams, which means that in addition to the primary data stream file, there can also be many non-primary data streams file lodged in the primary data stream file.

  • What is the primary data stream? It is also called the unnamed data stream, referring to the standard content of a file or directory, which is usually visible to users. The primary data stream file is the host file and you can see it in Windows Explorer.
  • What is non-primary data stream? The non-primary data stream is the data stream having a name. These data streams are so-called alternate data streams. They are invisible to users and you can’t see them in Windows Explorer.

What Can You Do with NTFS Alternate Data Streams

Alternate Data Streams were originally designed to be compatible with Macintosh’s HFS+ file system. Using this technology, you can write related data in a file resource (in the form of Alternate Data Streams). And the written data can be extracted using a very simple method. Then, you can read it or even execute it as an independent file.

Alternate Data Streams also has other features, for example:

  • It can identify high risk files that shouldn’t be accessed.
  • The Windows Attachment Manager uses ADS as a file scanner to check whether the downloaded file is safe.
  • The SQL Database server uses ADS to maintain database integrity.
  • Citrix’s virtual memory uses ADS to boost DLL loading speed.
  • Anti-virus applications like Kaspersky use ADS to enhance the scanning technology.
  • It can store data related to the file like keywords, summaries, sound files, images, etc.
  • It can hide files. The Alternate Data Streams files can’t be seen and the host file will not become bigger or have any changes.

However, because the Alternate Data Streams file is covert and executable, many hackers will use it to make viruses.

Creating an Alternate Data Stream

Creating an Alternate Data Stream is not rocket science; it’s extremely easy.

Basic DOS commands like type can be used, in conjunction with the [ > ] redirect symbol and [ : ] colon symbol, to fork a file into another file.

Let’s demonstrate the steps of using ADS to hide information in a file.

Step 1: Open the terminal and create a text file

C:> echo Today is going to be a great day > file1.txt

This command saves the given string to a text file called file1.txt

Step 2: Confirm the contents of the file

Let’s now confirm the contents of the file by using the type command, as shown below.

C:> type file1.txt

Open the terminal and create a text file

Everything is working well, just as expected. Then, let’s check the directory listing.

C:> dir file1.txt

dir file1

Step 3: Append new content to the hidden file

Let’s execute the following command:

C:> echo The sun is all up and the coast is clear > file1.txt:hidden

It appears that we have created a new file called file1.txt:hidden, which is not the case.

We have just created an Alternate Data Stream within the file1.txt file under the name ‘hidden’.

The filenamed file1.txt:hidden does not exist.

In fact, if we try to examine its contents, the Windows prompt will return an error, as illustrated below.

C:> type file1.txt:hidden

type file1.txt:hidden

However, we can reveal the contents of the file, as shown below.

C:> more < file1.txt:hidden

The sun is all up and the coast is clear

Remember, the ‘original’ data stream is still there.

C:> type file1.txt

Yet, when we check the directory, there’s only one file, which is file1.txt.

C:> dir file1*

Here are three interesting points to note about the last directory listing.

  • The timestamp has changed after adding the Alternate Data Stream file to the existing file. That is the only indication that a change has indeed happened.
  • The file size remains unchanged as evidenced by the prefix 36 in file1.txt when checking the directory listing. This implies that you could have many ADS files within a file without your knowledge.
  • Because of the subtle changes, it’s difficult to detect Alternate Data Stream files unless you use a third-party tool.

Detecting Alternate Data Streams

Standard Windows tools provide two tip-offs to an ADS invasion—one of them subtle, the other sometimes blindingly obvious.

The subtle one is the date stamp on the file. While alternate data streams don’t change the reported file size, they do change reported date of file creation. Of course, unless you’ve kept some sort of record of creation dates, or the altered file sits in the middle of a bunch of files created on the same date, this change is very difficult to spot.

The obvious tip-off is when your hard drive suddenly and mysteriously fills up. The added files won’t show up in your directory, but they still take up space on your disk, and that’s reported by chkdsk.

While alternate data streams are very hard to detect with Windows, they’re easy to find with specialized tools. A number of companies and individuals offer tools to track and remove ADS. Because alternate data streams aren’t detected by conventional Windows tools, most ADS detectors use the Windows backup API, which can detect alternate data streams. Usually you must have administrative or backup privileges to run ADS detection software.

  • One of the best-known ADS trackers is List Alternate Data Streams (LADS), a freeware utility from Frank Heyne Software.
    TDS-3, an anti-Trojan program from DiamondCS, can also detect ADS.
  • Another utility to detect streams is Streams from Sysinternals.
  • ADSTools can perform some basic file operations on alternate data streams, as well as detecting them.

Please note that many of the available ADS detectors simply alert you to the existence of alternate data streams, rather than removing them.

Removing Alternate Data Streams

One thing you can’t do on an NTFS Windows computer is turn off alternate data streams. Not only do a lot of applications use ADS; so does Windows itself. There’s no way to disable ADS the way you can disable many unneeded Windows services.

Nor can you simply delete an alternate data stream without deleting the file to which it’s attached. In fact, you can’t use the Windows delete command to get rid of an ADS attached to a root directory (i.e. c:\:badstuff.exe).

Some ADS detection utilities, such as Streams, will automatically delete alternate data streams. However, many of them simply notify you of the existence of alternate data streams.

If your detection utility doesn’t delete alternate data streams, you need to get creative. The great weakness of alternate data streams is that they’re only supported on NTFS. The older FAT filesystems don’t recognize ADS. If you copy a file from an NTFS drive to a FAT drive, any attached ADS will be eliminated. If you’re on an ADS hunt, it might be worthwhile to set up a FAT partition on your system simply to wash files through. These days, most Windows systems use NTFS and aren’t installed with any FAT partitions. However, programs such as Acronis Disk Director will let you create partitions of different file types, including FAT, out of unused space in an existing partition.

Another method of removing an ADS from a file is to do the following from the command line:

ren filename temp.exe

– cat temp.exe > filename

– del temp.exe

where filename is the name of the file with the ADS you want to eliminate.

If the alternate data stream is attached to a directory, you need a different method. Frank Heyne, the author of LADS, suggests a method that relies on using Notepad from Windows NT 4. The method is detailed in the LADS FAQ.