Digit Top 10
Get Digit Magazine!
HELP ME BUY
ECS LIVA X Mini-PC
HTC One E9 Plus
Dell Latitude E7250
HTC One ME (Dual-SIM)
Yurbuds Focus 300
Using Gesture Recognition as Differentiation Feature on Android
Graphics driver 126.96.36.19956 Posted to Download Center
Application Development Using NexStreaming NexPlayer SDK
Apple Music for India: First Look
How to test smartphones in a retail store
Don't read this, lest you get offended!
How tech is taking football to the next level
Classic FPS games are a dying breed
Slowly gathering steam...
The obsession within
see All digit top 10
Digit Top 10 is a list of best products across various categories, rated by Digit Test Labs in Mumbai and Delhi.
Japan replies to America on robot duel, says bring it
Latest leaked OnePlus 2 render shows full metal build
DoT announces solar-powered WiFi at Digital India week
Xiaomi teases Rs. 1,000 discount on Redmi 2 from July 7
Intel Compute Stick available on Flipkart for Rs. 9,999
Asus ROG GL552
Intex Aqua Q5
LG G4 Stylus
Intex Aqua Y4
ECS Liva X Mini PC
How to use Intel XDK plugins for Sublime Text
Intel XDK Update - HTML5 Games, Sublime Text* & Easier to Get Started
Steps to add x86 support to Android Apps Using Unity
3 easy steps for maximum performance for your Android emulator (Intel HAXM)
How does your GPU affect your image blur algorithms
HTC One ME (Dual-SIM) Review
Qualcomm Snapdragon 820 gets benchmarked in Geekbench
Facebook Lite for Android launched in India
Samsung wants to make more Tizen phones for India.mov
Xiaomi Redmi Note 4G now available for Rs. 7,999.
Build a gaming PC under Rs. 70,000 (July 2015)
How to get most out of Google Photos
OnePlus 2: leaks, rumors and the buzz so far
Asus Fonepad 7: Overview [Promotion]
How to test a TV in a retail store
Intel Android Developer Zone
Intel Windows Developer Zone
Intel IoT Developer Zone
Intel Game Developer Zone
Who we are
Meet our Authors
Buy Current Issue
Buy Previous Issue
Digit Tech Hunt Contest
Be a Digit Tech Star
A क అ
User Name / Email Address
If you signed up using a 3rd party account like Facebook or Twitter, please
with it instead.
Hidden Threat: NTFS Alternate Data Streams (ADS)
Redmi Note 4G (White, 8 GB) in just Rs 7,999
Buy in Rs 4,999 with the Flipkart exchange offer. Exchange and get Upto Rs 3,000 Off on Redmi Note 4G (White, 8 GB)
Click to know more
Digit Tech Hunt Contest
Asus Zenfone 2 and assured gift vouchers to win | Participate Now
Click to know more
Alternate Data Streams in NTFS (NT file system) is a rather unknown compatibility feature in Windows NT systems. It was introduced in NTFS with the intent of compatibility with HFS, or the old Macintosh Hierarchical File System. The Primary Function of ADS is to hold metadata about files: Writing details in summary of a text document (right clicking the TXT file, selecting properties, and then selecting the summary tab) gets attached as an ADS.
So what's so special about ADS?
One may think, “A text document’s summary is stored as ADS… so what?” Well, there’s more to it -- executable code can also be stored as an alternate data stream without the Timestamp, listed File’s size or running process name being modified. Moreover, files with ADS are almost impossible to be detected by native file browsing techniques like Windows Explorer or the command line; software that can identify them are few and far in between...
The lengths a malicious hacker can go to hide his tracks can be astonishing, and this is what makes ADS the worst nightmare of a System Administrator. Due to the concealed nature of ADS, detecting and preventing execution of malicious code is intricate.
Once a hacker has acquired administrator access on the system, he’ll strip off all information of concern, covering the detection of his presence and will try to install a backdoor (a remote access Trojan) for easy future access. This backdoor needs to be veiled from the system administrator, this is where ADS comes to in – it can be used to hide files on the breached system, evading detection and executing them without the knowledge of the sys admin.
The ability to hide executable code in an invisible form inside ADS can also make viruses difficult to be detected within a file system, because most virus scanners only verify the default data stream of files. Major Anti-virus vendors point out that ADS must be loaded into the memory before execution and thus will be detected with real-time scanning (when a file is scanned after it is loaded in memory (just after commanded to execute), the type of scan is known as a "real-time" scan). The problem with this approach is that many network administrators do not run real-time scanning on their servers or workstations due to performance issues.
Denial of Service (DoS) attacks that exploit the use of ADS also exist. It is the difficulty of detection that increases the threat. For example, it is quite common for an attacker to create a file large enough to fill up the system partition on a Windows NT/2000 system, to crash the server due to lack of space for temporary files. When using the main stream of a file in such an attack, the violating files are easily identified due to their abnormally large size. By using Alternate Streams here, it can be made difficult to detect where the violating files are located on the system. Another attack exploiting ADS can be launched by creating a large number of alternate streams, more than 6,000 on a specific file. If the attacker or the system tries to access the default stream of the file, the system’s response slows considerably and in worst case, the system crashes thus creating a Denial of Service.
Moreover, this vulnerability is not confined to the NTFS file system; any other file system that uses streams for alternate data is vulnerable.
ADS lies below the visible file structure, therefore many backup software are only able to backup the main stream of the file, leaving behind the alternate one. Major backup software vendors do provide the ability to backup ADS in their newest releases (refer countermeasures section). If the backup is stored on a FAT partition, all ADS information will be lost.
Backup tapes usually provide the best source of information in forensics regarding the type of attacks that were launched and data compromised. So it is extremely important that all NTFS volumes are effectively backed up.
Let’s make one
1. We have created a file named “data” in C: root directory containing the text “this is main stream.” This text is stored in default or main stream of the file. Notice that the file size is 24 bytes.
2. Next, We create an ADS -- adding the text “this is alternate stream” to the existing file “data”. The syntax for this function is <filename>:<alternate stream name>. Notice that the alternate stream does not show up in the root directory; the file size remains intact (24 bytes).
ADS is a not a feature that can be disabled, so countermeasures are quite important.
Antivirus, The best practice is to enable real-time scanning. As mentioned earlier, real-time scans can certainly shield from execution of a malicious code inside an alternate stream.
File Monitoring, monitoring changes to the file system helps to detect the creation of additional or new data streams. Many freeware tools are available for monitoring NTFS partitions for Alternate Streams. Some of them are listed below:
LADS (List Alternate Data Streams) (
Marx NTFS ADS Viewer (
Streams (Sysinternals) (
NT Objectives Forensic Toolkit (
A commercial product, Tripwire (www.tripwiresecurity.com) is also available. It automatically audits your file system for changes, access and ADS. Being a commercial product, it provides excellent protection against attackers using ADS to hide their activities on systems. But it serves as a notification tool only and you need to personally verify if the Alternate Data is legitimate or whether it needs to be deleted manually.
Backup: There are some commercial software that provide backup functionality for handling ADS
Symantec Backup Exec (earlier, Veritas Backup Exec) (
Backup Express (
NetWorker 5.51 (
Note that Alternate Streams are lost when the file is moved from a NTFS partition to a FAT or FAT32 partition (Because FAT does not support ADS).
The article targeted ADS as a vulnerability, rather than a compatibility feature, but it’s important to realize that ADS is an essential part of NTFS and has legitimate uses too. In the end, the security features of NTFS far outweigh this vulnerability. With knowledge and due diligence, administrators can take actions to prevent and detect unauthorized use of ADS and protect themselves adequately.