In NTFS (New Technology File System)
, a file consists of different data streams. One stream holds the security information. Another stream holds the "real data" you expect to be in a file. Another has link information instead of the real data stream if the file actually is a link. And there may be an alternate data stream (ADS) which holds data the same way the standard data stream does.Alternate Data Streams (ADS)
are a feature of the Windows NTFS File System
which has the ability to fork
(hide) file data into existing files and folders (directories) without affecting their functionality or size. ADS capabilities where originally conceived to allow for compatibility with the Macintosh Hierarchical File System (HFS)
where file information is sometimes forked into separate resources.
ADS are used legitimately by a variety of programs, including native Windows operating system to store file information such as attributes and temporary storage. ADS is used to store icons and other file information such as attributes with a hidden stream that instructs the system how to use the data contained in the file. They typically have the following characteristics.
- NTSF Streams are only visible to specialized software.
- Streams can attach themselves to directories as well as files.
- Disk space used by Streams are not reported by programs such as Windows Explorer or commands such as 'DIR'
- Streams can be executed and executed streams' filenames are not displayed correctly in Task Manager.
ADS also provides hackers with a method of hiding rootkits or hacker tools on a breached system and allows them to be executed without being detected by conventional anti-virus and anti-malware scanners. Files with an ADS are almost impossible to detect and do not show in Windows Task Manager. ADS can be executed by using commands or be scripted within scripting languages like VB or Perl. Once injected, the ADS executable will appear to run as the original file. Using this method allows hackers to not only hide a file but to also hide the execution of an illegitimate process. However, both legitimate programs and malware can exhibit rootkit-like behavior or hook
into the OS.
ADS are extremely easy to make and require little or no skill on the part of a legitimate creator or hacker. Common DOS commands like type are used to create an ADS. These commands are used in conjunction with a redirect [>] and colon [:] to fork one file into another. As such, further investigation is required to determine if the ADS is legitimate or not.