ADS

ADS (Alternate Data Streams)

Alternate Data Streams (ADS) are a file attribute only found on the NTFS (New Technology File System).

In this system a file is built up from a couple of attributes, one of them is $Data, aka the data attribute.

Looking at the regular data stream of a text file it simply contains the text inside the text file.

But that is only the primary data stream.

This one is sometimes referred to as the unnamed data stream since the name string of this attribute is empty ( “” ) . So any data stream that has a name is considered alternate.

These data streams suffer from a bad reputation since they have been used and abused to write hidden data. Varying from data about where a file came from to complete malware files (e.g. Backdoor.Rustock.A)

ADS is stored inside the NTFS MFT (Master File Table), next to other files attributes, like creation time and date.

Use FTK Imager to identify ADS info.

Last updated