Alternate Datastreams

1. Introduction

The NTFS file system includes support for alternate data streams. This is not a well known feature and was included, primarily, to provide compatibility with files in the Macintosh file system. Alternate data streams allow files to contain more than one stream of data. Every file has at least one data stream. In Windows, this default data stream is called :$DATA.

Windows Explorer doesn’t provide a way of seing what alternate data streams are in a file (or a way to remove them without deleting the file) but they can be created and accessed easily. Because they are difficult to find they are often used by hackers to hide files on machines that they’ve compromised (perhaps files for a rootkit). Executables in alternate data streams can be executed from the command line but they will not show up in Windows Explorer (or the Console)

Alternate Datastream can be used to append extra info to the file:

an image file
an executable file
thumbnail info
metadata about the actual file
encrypted or hidden info

The ADS becomes an additional file attribute

2. Hide files in Alternate Datastreams

TBD

PreviousBitunlocker NextMemory Forensics

Last updated 2 years ago