Alternate Data Streams


Author: Dan Mares, dmares @ maresware . com (you will be asked for e-mail address confirmation)
Portions Copyright © 1998-2016 by Dan Mares and Mares and Company, LLC
Phone/fax: (678-427-3275


What Forensic Analysts/Investigators should know about Alternate Data Streams

This is a description of a little known part of the NTFS file system called “Alternate Data Streams”. Many of you probably have never heard of Alternate Data Streams (ADS). In fact, the normal computer user will probably never have any need to use or deal with ADS. However, they are an excellent way of hiding data on NTFS partitions.

What are AlternateData Streams? The explanation I’m going to provide is not a technical one, and is therefore technically lacking. I’m trying to set out an explanation that might be usable when you try to explain this to a non-technical person.

Let's start with what most people consider a normal data file. A normal file consists of an entry in the directory which typically contains the following: file name; date; time; size; an indication as to where the files resides on the physical disk (in DOS we call this the starting Cluster location, on NTFS it is information located in the (MFT) Master File Table); and the data of the file which is contained in a series of bytes of data located in Clusters on the disk. That’s the simple explanation. Information about the NT Master File Table can be found in many places. One helpful site is from a Executive Software International. A good briefing on MFT is on their web site at: (http://www.execsoft.com/tech-support/NT-articles/article.asp?F=1997042926.htm or the article: art-0020.htm)

Now, comes NTFS. Disregarding for a moment that files of about 1500 bytes or less can reside entirely within the MFT, the MFT contains a significant amount of data about the file. This data is called "attributes." There are more than 10 attributes of a file. Attributes can be resident (in the MFT) or nonresident. Nonresident apparently means located somewhere else on the disk.

One of the attributes of a file is the “DATA” attribute. The data attribute points to the data, resident or not. This still sounds very simple. We have a file system, a way of tracking files (the directory entry), and attributes about the files. Now comes the trick.

On NTFS systems, (and only on NTFS), this “DATA” attribute can actually be alternate data attributes pointing to more than one piece of “data”. In this case “data” means the contents of a file, or other information such as security information. Thus it can point to more than one file. These additional "files" are called Alternate Data Streams. I think of them as additional files that are sitting--or more appropriately--hiding behind the visible file.

ADS’s are sort of like invisible attachments to a file (or a directory). Their physical information is not included in the results of a DIR or Explorer window. DIR or Explorer will never tell you a file contains ADS’s. In most cases, if one existed, its size would be so insignificant to the overall size of a physical drive that you wouldn’t even notice space was being used up which you couldn’t account for. So how do you find them? Very carefully.

First, it is helpful to know how to create a simple ADS. The easiest way to do it is to use Notepad. Assume we have a file called test.txt. It is a text file, sitting out there on the disk. To create a simple ADS, (let's call it alternate.txt) you would do the following: Using Notepad, at the prompt, enter the command

C:>notepad test.txt:alternate.txt

Notice the format for creating an ADS is to use the filename of the main or primary data file, add a colon (:) followed by the name of the ADS you wish to create or access. There should be no spaces within this entire string of characters. (Unless you quote the string, which is another lesson.)

Notepad will probably say that alternate.txt does not exist and ask if you want to create it. You would say yes. Then type in any information just as you always do. When you are finished, save the file and exit. Look at the size of the test.txt file that DIR shows. The filesize hasn’t changed at all. Interesting. Where did the data go? It went into one of those Alternate Data Streams that is now associated with the original file test.txt.

Now that you have created an ADS, you can go in and create more. To access these ADS files later you simply use Notepad to edit the ADS just as you did when originally creating it.

C:>Notepad test.txt:alternate.txt

Are you thinking that ADS is simply a little toy? Well this toy could be used to hide data “behind” any file within the NTFS file system. Under normal forensic processing you wouldn’t even know it existed. If you did a string search on the entire physical drive you might find the text strings if they weren’t encrypted or in a binary format. A suspect may very easily create an ADS containing passwords, contacts or other incriminating information and only they would know where it was and by what name it could be seen. An encrypted file could be sent on an NTFS formatted Jazz or Zip disk to someone, and the password might be sent right along with it in the form of an ADS. Binary images could be attached to simple text or document files for later retrieval. Rumor has it that there might be some sophisticated FTP programs that will transfer ADS files. I haven't found any, but creating them would be an easy programming task.

It is simple to add a binary data file or picture as an ADS. Just use the command:

C:>type binary.file >> test.txt:binary.ADS

This would add the binary.file to the test.txt as an ADS. The only program I know of that will copy or retrieve the ADS from behind its main data file is Maresware's Copy_ads program.

In addition, the 32 bit versions of Maresware's Diskcat, Hash, Mdir, MD5 and Crckit can perform the appropriate analysis on these ADSs.

Here is a sample output from Mdir when it finds a file with an Alternate Data Stream. Notice that the ADSs do not carry a different date, so I indicate their presence with the the term 'Alternate Data' or 'ADATA.'

Filename                         size  date       time   TZ attributes

junk_3                            103  11/17/1998 12:41w EST A.... 
junk_3:altdata.txt:                40  ALTERNATE  DATA   EST ADATA 
junk_3:alternat.txt:               43  ALTERNATE  DATA   EST ADATA 
junk_3:alternate.txt:              16  ALTERNATE  DATA   EST ADATA 

For more information on Alternate Data Streams you can research the web using the keyword 'Alternate Data Streams.' One other very important thing to remember: If you are copying a file with an ADS and you are going from NTFS to NTFS the ADS will tag along. No special command is necessary to maintain ADS integrity. However, ADSs are only valid when dealing with NTFS disks. So, if you copy a file having ADSs to a non NFTS drive, the ADSs are lost. This has its good and bad points.

This has been a primary tutorial dealing with Alternate Data Streams. For more information check out the web.

Portions Copyright 1998-2016 by Dan Mares and Mares and Company, LLC