NTFS Data Streams

Windows
Written By Michael Stout

What are NTFS Data Streams?

NTFS (New Technology File System) is a file system developed by Microsoft for its Windows operating system. One of NTFS's lesser-known features is its support for NTFS Data Streams, also known as Alternate Data Streams (ADS).

NTFS Data Streams allow a file to contain more than one data stream. By default, when you create and save a file, you interact with its primary data stream. However, NTFS allows additional streams to be associated with the same file, effectively hiding extra data within the file.

How Do Data Streams Work?

  1. Primary Data Stream: This is the main content of the file. When you open a file in a typical manner (e.g., double-clicking in Windows Explorer), you access this primary data stream.
  2. Alternate Data Streams (ADS): These are additional data streams that can be attached to a file without altering its primary data stream or file size, as shown in typical file listings.

Use Cases

  • Metadata Storage: ADS can store metadata for files, such as summary information, that isn't visible in the primary stream.
  • Implementing Features: Some Windows features and applications use ADS to store supplementary information. For instance, web browsers may use ADS to mark files downloaded from the internet with information about their origin.
  • Hiding Data: ADS can also hide data, including viruses or malicious software.

Security Implications

  • Forensic and Security Analysis: Security professionals must consider ADS when performing forensic analysis, as bad actors may hide data within them.
  • Potential for Abuse: Bad actors may use malicious files from ADS that may not be detected by traditional file listings or even some antivirus programs.

NTFS Data Streams offer a way to attach multiple data streams to a single file, providing flexibility and functionality. However, this capability also introduces security challenges.

Example

Create and verify a primary data stream

CMD
C:\ echo 110502 > mission.txt
C:\ type mission.txt

Create and verify an alternate data stream

CMD
C:\ echo 34 10 09.51 N 73 14 32.78 E > mission.txt:target.txt
C:\ more < mission.txt:target.txt

List files with alternate data streams

CMD
C:\ dir /r
Michael Stout https://michaelstout.com
Previous

Windows Disk Management
Next

Homebrew