News

Alternate data streams and cyber security

Alternate data streams (ADS) represent an advanced feature of the NTFS file system that allows additional information to be associated with each file without changing its external appearance. But what exactly are they and how do they work? 

Secure data flow inside an operative system

25 November 2024

Table of contents

  • What are alternate data streams
  • How do alternate data streams work
  • Why alternate data streams are a threat to cyber security 
  • How to detect and remove alternate data streams 

Alternate data streams (ADS) represent an advanced feature of the NTFS file system that allows additional information to be associated with each file without changing its external appearance. 

This feature, introduced with the Windows operating system starting with Windows 2000, offers interesting opportunities for storing hidden data, but also opens the door to new risks in the field of cyber security

Alternate data streams can be used to hide data without altering the visible size of a file, making them a popular choice for embedding malicious content in an invisible way. But what exactly are they and how do they work? 

What are alternate data streams

Alternate data streams (ADS) are data flows that can be associated with NTFS files. Thanks to this technology, a file can contain any type of data in a separate stream from the main flows

This additional stream is not detectable through the normal properties of the file, but can be accessed using the command prompt.  

Essentially, ADS allow you to add content to a file without changing the main file, keeping it visually identical. 

This technology is particularly advantageous when additional information needs to be associated with existing files, such as text files or downloaded files.  

However, ADS can also contain malicious code and pose a serious security threat, as they can be used to insert harmful software into a system without the user’s knowledge. 

How do alternate data streams work

In the context of cyber security, alternate data streams (ADS) are used to hide files, programs, or other information invisibly. 

An NTFS file with ADS in the additional files retains its original size, without revealing the presence of other content. 

Example:
A cybercriminal could add a script or malware to a legitimate file, which would still appear as a summary in the properties of the main file

To access these alternate data streams, the command prompt is often used, using a specific syntax to display or modify the hidden content. 

With Windows 2000 and subsequent systems, it is possible to create alternate data streams (ADS) on almost any file, making it a versatile and insidious technique for hiding data or malicious code within a system. 

NTFS file system

Why alternate data streams are a threat to cyber security 

ADS represent a unique challenge for cyber security, as they can contain any type of data and hide it without the system owner realizing. 

This makes them a common vector for malware, which can be associated with harmless files and remain hidden until executed.  

Since alternate data streams (ADS) are not visible in the standard properties of a file, they are often overlooked by users and even some antivirus software. 

Businesses and cyber security professionals need to be aware of the dangers that ADS represent.  

Since they can be used to store additional information that is not easily detectable, it is important to use advanced tools to analyze NTFS file systems in search of ADS in the files

How to detect and remove alternate data streams 

Although ADS can be difficult to identify, there are techniques and tools that can help detect them. 

Tools like PowerShell, Sysinternals Streams, and various advanced scanning software can reveal the presence of alternate data streams in files.  

By using the command prompt, it is possible to manually examine the main streams to check if they contain hidden file content or malicious code

A simple way to identify ADS is to check if the NTFS file system uses multiple data streams, which are often indicated by special characters in directories. Although these checks can require time and attention, they are crucial for system security. 

Questions and answers 

  1. What are alternate data streams? 
    Alternate data streams are additional data flows that can be associated with files in the NTFS file system. 
  2. Why are ADS a security threat? 
    They can hide malicious data without changing the main file size, making it difficult to detect malware. 
  3. How can you access alternate data streams? 
    ADS can be viewed through the command prompt with specific syntax. 
  4. Is it possible to remove alternate data streams? 
    Yes, tools like PowerShell or Sysinternals Streams can be used to remove them. 
  5. Which files can contain alternate data streams? 
    Any file in the NTFS file system can contain additional ADS. 
  6. What happens to downloaded files with ADS?
    Downloaded files can include ADS that contain additional information about the download. 
  7. How are alternate data streams used by cybercriminals? 
    ADS are used to hide malicious code or sensitive data in seemingly harmless files. 
  8. Which operating systems support alternate data streams? 
    ADS are supported by Windows systems based on NTFS, such as Windows 2000 and later versions. 
  9. What tools can detect alternate data streams? 
    Advanced scanning software, PowerShell, and Sysinternals Streams can detect ADS. 
  10. Do alternate data streams affect file size? 
    ADS do not change the visible size of NTFS files, making them difficult to identify without specialized tools. 
116
To top