NTFS Alternate Data Streams: The Good and the Bad

Alternate Data Stream (shortened as ADS) is a feature of the Windows New Technology File System (NTFS) that, surprisingly, has both good and bad aspects.

In this article, we’ll uncover both its two sides so that you can be prepared at using it.

What are Alternate Data Streams?

An Alternate Data Stream is a little-known feature of the NTFS file system. It has the ability of forking data into an existing file without changing its file size or functionality.

Think of ADS as a ‘file inside another file’.

ADS exists in all versions of Microsoft’s NTFS file system, and it has been available since Windows NT was released.

It was originally intended to allow for compatibility with Macintosh’s Hierarchical File System (HFS).

Currently, all Windows Operating Systems, including the latest Windows 10 OS, supports the ADS feature.

So, what can you do with Alternate Data Streams?

ADS can allow you to store any type of file, such as texts, audios, videos, images, or even nefarious codes like viruses or trojans.

ADS contains metadata for identifying files according to various attributes, such as author, title, date modified, and more.

Furthermore, hackers can use Alternate Data Streams to launch Denial of Service Attacks (DOS).

Benefits of ADS

Before we look at how an attacker can hijack ADS for malicious reasons, let’s talk about some of its benefits, as described below.

  • Windows Resource Manager leverages ADS to identify high risk files that shouldn’t be accessed.
  • The Windows operating system uses ADS to encrypt and store files in a secure manner.
  • The Windows Attachment Manager uses ADS as a file scanner. This explains why sometimes you receive warnings when you open a file downloaded from the Internet.
  • The SQL Database server uses ADS to maintain database integrity.
  • Citrix’s virtual memory uses ADS to boost DLL loading speed.
  • Anti-virus applications, such as Kaspersky, uses ADS to enhance the scanning of files.

Creating an Alternate Data Stream

Creating an Alternate Data Stream is not rocket science; it’s extremely easy.

Basic DOS commands like type can be used, in conjunction with the [ > ] redirect symbol and [ : ] colon symbol, to fork a file into another file.

Let’s demonstrate the steps of using ADS to hide information in a file.

Step 1: Open the terminal and create a text file

C:> echo Today is going to be a great day > file1.txt

This command saves the given string to a text file called file1.txt

Step 2: Confirm the contents of the file 

Let’s now confirm the contents of the file by using the type command, as shown below.

C:> type file1.txt

Today is going to be a great day

Everything is working well, just as expected.

Then, let’s check the directory listing.

C:> dir file1.txt

Step 3: Append new content to the hidden file 

Let’s execute the following command:

C:> echo The sun is all up and the coast is clear > file1.txt:hidden

It appears that we have created a new file called file1.txt:hidden, which is not the case.

We have just created an Alternate Data Stream within the file1.txt file under the name ‘hidden’.

The filenamed file1.txt:hidden does not exist.

In fact, if we try to examine its contents, the Windows prompt will return an error, as illustrated below.

C:> type file1.txt:hidden

The filename, directory name or volume label syntax is incorrect

However, we can reveal the contents of the file, as shown below.

C:> more < file1.txt:hidden

The sun is all up and the coast is clear

Remember, the ‘original’ data stream is still there.

C:> type file1.txt

Today is going to be a great day

Yet, when we check the directory, there’s only one file, which is file1.txt.

C:> dir file1*

Here are three interesting points to note about the last directory listing.

  1. The timestamp has changed after adding the Alternate Data Stream file to the existing file. That is the only indication that a change has indeed happened.
  2. The file size remains unchanged as evidenced by the prefix 36 in file1.txt when checking the directory listing. This implies that you could have many ADS files within a file without your knowledge.
  3. Because of the subtle changes, it’s difficult to detect Alternate Data Stream files unless you use a third-party tool.

Risks Associated with Alternate Data Streams

Alternate Data Streams enables information to be hidden within other files. As such, it can be a security risk.

An attacker can easily store malicious codes or payloads and use them to cause damages to your system.

Let’s consider this example.

c:> type c:\windows\system32\calc.exe > file1.txt:calc.exe

The above command copies the Windows calculator program into an ADS file called calc.exe, which is linked to file1.txt.

To launch the hidden calc.exe copy from its ADS in file1.txt, an attacker can run the following command.

c:>start c:\file1.txt:calc.exe

Now, suppose that was not a calc.exe file but a destructive malware, it could lead to extensive damages to your system.

Conclusion

The greatest challenge with Alternate Data Streams is that, if used for nefarious purposes, they are extremely difficult to detect, unless you use third party applications.

Additionally, ADS cannot be turned off.

Therefore, it’s critical to institute robust measures to prevent its abuse.

Do you have any question or comment?

Please post them below.

Prevent Unauthorized Access to Sensitive Windows Folders!

  • No more unauthorized access to sensitive data
  • No more unclear permission assignments
  • No more unsafe data
  • No more security leaks

Get your free trial of the easiest and fastest NTFS Permission Reporter now!

0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *