INTRODUCTION
Alternate Data Streams (ADS) is a feature of the NTFS file system that allows a file to have multiple data streams, each of which can be manipulated as if it were a separate file. This feature can be useful in a variety of scenarios, but it is not widely used and is often considered a security risk. In this article, we will discuss what ADS are, how they work, and some examples of how they can be used.
HISTORY
ADS was first introduced in the NTFS file system in the early 1990s as part of the Windows NT operating system. They were intended to allow for the creation of multiple data streams within a single file, each of which could be manipulated independently. For example, one data stream could be used to store the data of a file, while another could be used to store metadata or other information about the file.
HOW-TO
To create an ADS, a programmer can use the CreateFile API function to open a handle to a file, specifying the name of the data stream in the filename. For example, to create an ADS called “mystream” within a file called “myfile.txt”, the filename passed to CreateFile would be “myfile.txt:mystream”. Once the handle to the stream is created, the programmer can use standard file I/O functions to read and write data to the stream, just as they would with a normal file.
To display a list of all the alternate data streams of a file, you can use the command-line utility dir /R on windows or ls -l with find -exec on Linux/Unix.
ADS can be used for legitimate purposes, such as adding metadata to a file, but they can also be used for malicious purposes. For example, a hacker could use ADS to hide a malicious file within a seemingly innocent one. This is often referred to as “stream-sniping” or “hiding a file in a file”. An attacker could also use ADS to hide a back door or other malicious code within a file, making it difficult to detect.
An example of legitimate usage of ADS is when creating an installer of software, where the installer package contains a separate stream that holds the actual installation script.
Another example is that media files like images, audio, and videos, may have an additional alternate data stream to store some metadata information like creation date, a location where the media was captured, and also some other user-defined data like comments, etc.
CONCLUSION
In conclusion, Alternate Data Streams (ADS) are a powerful feature of the NTFS file system, but it is not widely used and is often considered a security risk. The feature can be useful in a variety of scenarios, but it’s important to be aware of the security risks and to use this feature carefully.