🐉 neospace ~

📝 Latest Posts

More About Alternate Data Stream

Jan 17, 20253 min read

Imagine a digital file cabinet

Think of your computer’s hard drive as a giant file cabinet. Inside, you have folders (like drawers) and files (like documents). Normally, when you create a file, it has a name (like “MyReport.docx”) and some content (the actual report). This is the main stream of data.

Introducing Alternate Data Streams (ADS)

Hidden compartments in your files

Now, imagine that each of these files also has a secret, hidden compartment attached to it. This compartment is called an “Alternate Data Stream” (ADS). It’s like a secret pocket inside the file’s folder.

  • Invisible to most people: When you look at the file in Windows Explorer, you only see the main file and its size. You don’t see the ADS or how much data it contains. It’s effectively hidden in plain sight.
  • Still part of the original file: Even though it’s hidden, the ADS is still associated with the original file. If you delete the main file, the ADS is also deleted.
  • How it’s used to hide files: You can store any kind of data in an ADS, including entire files. So, someone could take a picture, a program, or any other file and hide it inside the ADS of another, seemingly innocent file, like a text document or an image.

Example

Let’s say you have a picture called “family_photo.jpg”. Someone could hide a secret document called “secret_plans.txt” inside the ADS of “family_photo.jpg”. When you look at “family_photo.jpg”, you just see a normal picture. You wouldn’t know that “secret_plans.txt” is hidden inside it.

How this can be misused (and how to defend against it)

  • Malware: Hackers can use ADS to hide malicious programs (malware). This makes it harder for antivirus software to detect them.
  • Data exfiltration: Someone could steal sensitive data and hide it in ADS to avoid detection when transferring it out of a network.

How to detect ADS

Standard Windows tools like File Explorer don’t show ADS. You need special tools or command-line commands to see them. Here are a couple of ways:

  • Command Prompt (using dir /r): Open the Command Prompt and navigate to the directory containing the file you want to check. Then, use the command dir /r. This command will show you any ADS associated with the files in that directory. The ADS will be displayed with a colon (:) after the main file name (e.g., family_photo.jpg:secret_plans.txt).
  • Specialized tools: There are free and commercial tools available that can scan for and manage ADS.

More Advanced Concepts about ADS

Graph View

Backlinks