Written on February 1st, 2023 by Felix Halim
Alternate Data Streams (ADS) are a feature of the NTFS file system which allows additional data to be stored in a file alongside the main data. This data is not visible when the file is viewed normally and is often used by malware to conceal malicious files.
In the modern Windows system, we access files or in its technical term called file streams. A file stream is basically a sequence of bytes containing data and also meta-data. Take a text file as an example, data that are shown when we view it via the cat command or Notepad is what we call the Default Data Stream. However, in this case, we are particularly interested in the “hidden” one which is the Alternate Data Stream.
Historically, this ADS feature is developed to support compatibility with files in the Macintosh Hierarchical File System (HFS) where file information is sometimes inserted or forked into separate resources.
As you can tell, this data stream could be leveraged by adversaries to store hidden data which we hope is not malicious. But, adversaries being adversaries, they could use it for malware, to store malicious payload in a legal way to evade security checks. Those malicious codes need not be in their full form as streams can be broken down into multiple parts. One real use case was presented in the BitPaymer ransomware, you may click the link below to find more details about the ransomware.
How BitPaymer ransomware covers its tracks
In this blog post, I will discuss one of the use cases using the CSIT mini forensics challenge which I completed a few hours ago.
<aside> 🤖 You could also try to complete the challenge here or download the challenge file below
</aside>
In this challenge, we were given a compressed file that contains a .txt text file.
and when we view the file using Notepad, what we get is this string “$2” which does not give any information about the flag. 😩
Upon reading articles regarding ADS on MalwareBytes’ Blog, I found that Windows Powershell is able to read the ADS.
Introduction to Alternate Data Streams | Malwarebytes Labs
The basic command to see information about ADS is