NTFS Streams Info: Guide to Hidden Alternate Data Streams The New Technology File System (NTFS) is the standard file system for modern Windows operating systems. While most users only interact with a file’s primary data content, NTFS contains a powerful, hidden feature known as Alternate Data Streams (ADS). This guide explores what ADS is, how it works, how to detect it, and its security implications. What are Alternate Data Streams?
Every file on an NTFS volume consists of multiple attributes, such as the file name, creation date, and permissions. The actual content of the file is stored in a data stream.
By default, files have one unnamed data stream, which holds the primary content you see when you open a document or run a program. However, NTFS allows files to contain multiple, named data streams attached to a single file entry. These additional forks are called Alternate Data Streams.
When you look at a file in Windows File Explorer, you only see the size and properties of the main unnamed stream. The data hidden inside an ADS does not change the visible file size, modify its hash value, or alter its appearance in standard file management tools. Common Uses of ADS
Alternate Data Streams are not malicious by design; they were introduced to provide compatibility with the Apple Macintosh Hierarchical File System (HFS), which uses resource forks. Today, Windows and various software applications use ADS for legitimate background tasks. Zone.Identifier (Mark of the Web)
The most common implementation of ADS is the “Mark of the Web.” When you download a file from the internet, Windows automatically attaches an ADS named Zone.Identifier to the file. This stream contains metadata indicating the file originated from an untrusted zone. When you try to execute the file, Windows reads this stream and displays a security warning. Program Metadata
Some backup software, antivirus programs, and database engines use ADS to store tracking information, document summaries, or thumbnails without altering the core file data. The Security Risks of ADS
Because Alternate Data Streams are invisible to standard user interfaces, they have historically been exploited by malware authors and attackers for evasion techniques. Hiding Malicious Payloads
An attacker can hide executable code, scripts, or configuration files inside the ADS of a completely benign text or image file. For example, a file named readme.txt could secretly harbor a malicious executable within an alternate stream. Bypassing Detection
Older or poorly configured security tools only scan the primary data stream of a file. If an antivirus scanner does not explicitly inspect alternate forks, hidden malware can sit undetected on a storage drive. How to Work with ADS (Hands-On Guide)
You can interact with Alternate Data Streams using the Windows Command Prompt (cmd.exe) or PowerShell. Creating an Alternate Data Stream
To create a hidden stream inside a standard text file using the Command Prompt, use the colon (:) operator to separate the filename from the stream name:
echo This is the visible text > regular.txt echo This is hidden data > regular.txt:secretstream.txt Use code with caution.
If you open regular.txt in Notepad, you will only see “This is the visible text.” Reading an Alternate Data Stream
To view the hidden content, you must explicitly target the named stream: notepad regular.txt:secretstream.txt Use code with caution. Detecting Hidden Streams
Standard directory listings (dir) do not display ADS. To reveal them in the Command Prompt, use the /R parameter: dir /R Use code with caution.
This command lists all files alongside their associated alternate streams and their respective sizes.
In PowerShell, you can achieve the same result using the Get-Item cmdlet: powershell Get-Item regular.txt -Stream Use code with caution. Removing an Alternate Data Stream
If you want to strip a hidden stream from a file without deleting the main file, use PowerShell’s Remove-Item cmdlet: powershell Remove-Item regular.txt -Stream secretstream.txt Use code with caution. Conclusion
Alternate Data Streams are a fundamental architectural feature of the NTFS file system. While they provide necessary metadata handling for Windows features like the Mark of the Web, they also represent a hidden layer where data can be concealed from casual observation. Understanding how to audit and manage these streams is an essential skill for system administrators and cybersecurity professionals alike.
To help you apply this guide to your specific environment, let me know:
Are you investigating a specific security incident or suspicious file?
Leave a Reply