[STREAMS]
Detect and analyze NTFS Alternate Data Streams for hidden malware discovery and digital forensics
Difficulty: Intermediate
Category: Security
What are Alternate Data Streams?
NTFS Alternate Data Streams (ADS) are a feature of the NTFS file system that allows multiple data streams to be associated with a single file. While legitimate, they can be abused by malware to hide payloads.
Legitimate Uses:
- • File metadata and properties
- • Zone.Identifier (Internet downloads)
- • Thumbnail caches
- • Custom application data
Malicious Uses:
- • Hidden malware payloads
- • Steganography and data hiding
- • Bypass security tools
- • Persistence mechanisms
Key Features
ADS Detection
Identify files with alternate data streams
Recursive Scanning
Scan entire directory trees for hidden streams
Stream Deletion
Remove suspicious alternate data streams
Command Line
Automated scripting and batch operations
Basic Usage
Detection and Enumeration
# Scan single file for ADS
streams document.txt
# Scan directory recursively
streams -s C:\\temp
# Show only files with streams
streams -s C:\\Users | findstr "has the following streams"
Stream Removal
# Remove all streams from file
streams -d document.txt
# Remove streams recursively
streams -d -s C:\\suspicious_folder
# Remove specific stream
streams -d document.txt:hidden_payload
Manual ADS Analysis
Native Windows Commands
# Create ADS (for testing)
echo "Hidden content" > test.txt:hidden
# View ADS content
notepad test.txt:hidden
more < test.txt:hidden
# Execute from ADS
wscript test.txt:script.vbs
powershell Get-Content test.txt:data
PowerShell Analysis
# List all ADS in directory
Get-ChildItem -Recurse | Get-Item -Stream *
# Find files with custom streams
Get-ChildItem -Recurse | ForEach {Get-Item $_.FullName -Stream * | Where Stream -ne ':$DATA'}
# Extract stream content
Get-Content -Path "file.txt" -Stream "streamname"
Security Use Cases
🦠 Malware Detection
Find hidden malware payloads in alternate data streams.
# Scan system for hidden streams
streams -s C:\\
🔍 Digital Forensics
Analyze file system for evidence hidden in ADS.
# Forensic ADS analysis
streams -s E:\\evidence
🚨 Incident Response
Quickly identify and remove malicious streams during incidents.
# Clean infected system
streams -d -s C:\\Users\\victim
🛡️ Security Auditing
Regular scanning for unauthorized data hiding attempts.
# Audit critical directories
streams -s "C:\\Program Files"
Common ADS Types
| Stream Name | Type | Description | Risk Level |
|---|---|---|---|
| Zone.Identifier | Legitimate | Internet download source tracking | Low |
| AFP_AfpInfo | Legitimate | Apple File Protocol metadata | Low |
| Temp_* | Suspicious | Temporary files in streams | Medium |
| data | Suspicious | Generic data hiding | High |
| *.exe, *.vbs | Malicious | Executable code in streams | Critical |
Best Practices & Tips
Regular ADS scanning: Include ADS detection in routine security audits
Focus on user directories: Malware often hides streams in user-accessible locations
Investigate unknown streams: Any stream other than Zone.Identifier warrants investigation
Use PowerShell for analysis: Combine with PowerShell cmdlets for detailed stream analysis
Document before deletion: Always document suspicious streams before removing them