Quick writeup on Alternate Data Streams (ADS). ADS is a file attribute used in NTFS that ultimately provides an opportunity for investigators to extract valuable evidence that might otherwise be overlooked.
ADS is an additional stream of data that can be attached to a file on Windows systems. It’s a hidden file attached to a visible file (or written alongside a regular file) which isn’t visible in the usual file browsers like Windows Explorer. The primary or expected use of ADS is to enable files to contain additional metadata or alternate data that isn’t part of the main file content. For example, a text file could have an ADS containing comments or additional information about that file. That information could be accessed by a specific application or user, but wouldn’t be displayed as part of the parent file content. However, ADS can be used to store any type of data, including malicious code, pictures, text documents, almost anything you like.
What’s really interesting about ADS is the ability to hide data within a file without changing the file’s size or content. For example, an adversary can hide malicious code in an ADS attached to a legitimate file. Similarly, a user could hide sensitive data in an ADS, although I don’t know many users aware that ADS exist. Practically what this means is we can sometimes extract evidence from ADS during an investigation because ADS can be used as a sneaky way to hide evidence, i.e. malware and other code.
Creating ADS is usually done in
PowerShell, but can be done in
To display the contents of the ADS, use
If you show the directory listing with
dir /r shows us the ADS:
Notice how the size of the parent example.txt file hasn’t changed, all of the data is stored in the ADS itself.
ADS is a powerful feature and can be incredibly useful for a wide range of applications and use-cases. The drawback (or benefit depending on your use-case): executable code or scripts can be stored in ADS, meaning ADS can be used to create self-contained applications or scripts that can be run directly from a file’s alternate data stream. Something worth thinking about and looking for.