All About Alternate Data Stream (ADS)


Alternate Data Stream(ADS)  is a feature of Windows New Technology File System(NTFS) which contains metadata for locating a specific file title or author. Alternate data stream was first started in windows NT and is still currently being used in windows 8. Take note having an ADS in a file will not increase the file size, which makes it excellent for attackers to hide a piece of code or malware inside an authenticate malware.

So what is one purpose of the metadata?

Let’s say I downloaded this file called Tutorial 3.pdf online and put it into the directory \test and did a dir. This will be what u see.


When I do a dir /r, I will be able to see if the directory has any ADS.


As you can see, Tutorial 3.pdf has an ADS called Zone.Identifier:$DATA. But what data exactly is this zone identifier holding?


Ok, so i now know that its holding some kind of Zone Transfer data with id = 3. Now does anyone remember about this setting in internet explorer?


It turns out this security setting has this data


Value Setting
0     My Computer
1     Local Intranet Zone
2     Trusted sites Zone
3     Internet Zone
4     Restricted Sites Zone


So by having a zone id of =3, the computer knows the file was from the internet zone!


So what an attacker do with ADS? For example, I have just created a hidden.txt file inside tutorial 3 and did a normal dir, u will notice that the file size has not changed. However, only when i do a dir /r then i can see the changes! Take note the hidden.txt file can also be a .exe file for attackers!



An attacker will then send this unsuspecting normal file to u with a hidden ads in it! So lets say I want to view my hidden file now, I would use the command more < tutorial3.pdf:hidden.txt


Leave a Reply