Alternate Data Streams (ADS) are part of the NTFS file system in Windows operating systems. They are not included in the FAT and FAT32 file systems. ADSs were originally included in NTFS to provide compatibility with the Macintosh File System.
What is an ADS?
Every file has a primary data stream called :$DATA. This stream contains the information we are used to seeing, such as the content of a word processor file or plain text document. The ADS is another data stream (file) which can be attached to the primary data stream (file). It contains information which is not typically accessible to the computer’s user and is not visible in programs such as Windows Explorer. The command line command DIR was not able to list ADSs prior to Windows Vista. From Vista onwards, the /r switch can be added to the DIR command (dir /r) in order to list ADSs, albeit in a somewhat crude format.
So what are they used for?
Most frequently, ADSs are used as meta data (data about data) relating to the main file (or stream). For example, a typical ADS would be a Zone.Identifier. This contains information relating to the file’s source. “Internet” is a very common example of a source. You will see many examples of these files when you use the ADS tab in PCFerret. It is worth noting at this point that a Zone.Identifier should contain information relating to the primary file’s source, but in reality, it could contain anything, including an executable program which has been maliciously placed there. But don’t worry, PCFerret can detect this and make you aware of it.
Should I worry if a lot of my files have an ADS associated with them?
No. There are many legitimate reasons for files to have ADSs.
Are ADSs a threat?
They can be. This is why PCFerret scans for them. An ADS can, for example, contain an executable program which can be executed nefariously. With PCFerret, you can view the contents of ADSs and if PCFerret detects anything odd about them, it will inform you. If an ADS contains a video or image, it will play or display it for you if it is a common type, otherwise, PCFerret will warn you of its presence but not display it.
Examples of ADSs
If you wish to experiment with ADSs, here is an example of how to create one. In order to follow this example, you will need to create a command line prompt. In order to do this, press the Windows Key and the letter R key simultaneously. This will result in a Run dialog box appearing. In the dialog box, type cmd then click or tap on the OK button.
Creating an ADS
First, use Notepad to create and save a simple text file called ADSCarrier.txt containing any text you wish. Then, type the following on the command line;
echo This is the content of my newly created ADS file > ADSCarrier.txt:MyHiddenFile.txt
Next, press Enter.
Now you have created an ADS with the file name of MyHiddenFile.txt, containing the text, “This is the content of my newly created ADS file.” This ADS is now invisibly attached to the file you created using Notepad called, ADSCarrier.txt. Try experimenting by using other file types to create your ADSs. There are plenty of online tutorials which demonstrate further examples. Now you can use PCFerret to view the contents of the ADS you just created. Remember, if you need help, press the F1 button within PCFerret.
Can I separate an ADS from the main file?
Yes. PCFerret gives you an option to do this. While on the ADS tab in PCFerret, right click on the file with the ADS you wish to view and select the appropriate option from the resultant menu.
Want to learn more? Check out these excellent books on computer security.
Purchases from here, help to keep PCFerret free!