Alternate Data Streams

The origin Alternate Data Streams lays with the Macintosh filesystem. As some of you might know, Macintosh files don't have extensions. Yet, the OS is capable of recognizing the file and run it properly (or open it with the associated program).
This is possible because Macintosh files have 2 forks.

• The resource fork, which contains file information (executable, file type, ...)
• The data fork, which contains the executable code itself (in case of an executable) or the data.

Note! This has changed in MacOS X

When Windows NT 3.1 was introduced, there was a compatibilty support for AppleTalk, this means that NT and MacOS users could easily exchange data. This is the point where the problems began, since there was no way to copy the resource fork and the data fork of a file directly onto the NT file system. If you tried to copy a file from the MacOS file system to a NT file system, you would only copy the data fork, since the resource fork wasn’t physically in the file, but in a separate stream (The data and resource fork don’t occupy the same cluster on the disk). Microsoft then had to implement NTFS ADS, which meant that NT would see the resource fork as another stream, and would be able to copy it along with the file onto a Macintosh computer. This is done by extremely low-level code, and inaccessible by most API’s or programs, ADS didn’t become popular until much later.

When Windows NT 4 was introduced, ADS took a more important place in the heart of the NT OS. Like the Unix systems, NT 4 started to support Hard Links (Hard Links work like shortcuts, you can for instance map a file or folder to another one. Example c:\sample\my folder can be mapped to c:\the folder, why this isn’t a shortcut? You can’t do file operations on a shortcut, and you can’t use it in the command prompt.) Some anti-virus companies started writting checksums in a special separate ADS. However, no official API was made for Hard Links, and checksum ADS were really rare. But this has all changed in Windows 2000.

Like said in the previous chapter, Windows 2000 brought a number of new features to NTFS (sparse files, abstract information, encrypted file system) and an easy to use API to create Hard Links. All this information is stored in the ADS of a file.
Since ADS was becoming more known, some viruses are also known to exploit ADS, why? Because Microsoft left a lot of holes in the implementation.

ADS stands for Alternate Data Stream, as mentioned in the introduction. ADS is any kind of data that can be attached to a file, but not in a file. (This is only possible on the NTFS system). The MFT (Master File Table) contains a list of all the data streams that a file contains, and where their physical location on the disk is. Therefore, alternate data streams are not present in the file, but attached to it trough the file table. A typical file contains only a single data stream, called $DATA. This is the data contained in the file itself, and it is nota n alternate data stream, since it is the data stream itself.

The convention that Microsoft chose for file naming, is the following:
filename.extension:alternate-datastream-name:$DATA
When Windows or a program opens a file, by any normal means, you are therefore accessing the $DATA stream. Since there is no alternate data stream, the file system actually opens Filename.extension::$DATA If however this file had an alternate data stream called “example”, and you wanted to open it, you would have to open filename.extension:example:$DATA I hope you understand ADS clear until now.

You’ll have noticed that ADS doesn’t store the data in the file itself. You might be asking yourself “If I store 1MB data or text into an ADS of a file, will the file become 1MB bigger?” Here’s the great side about ADS … it won’t! Since the data is never stored in the file itself.. When you use Explorer to view the filesize, you will only see the size of $DATA. This is not a bug, any application calling the normal Windows API will exhibit the same behavior

So what does this mean? It means you can store 2 gigabytes of data into the ADS of an empty file and that the OS will display the file as empty. Opening this file with Notepad will result in a blank page, even een a HEX-editor would display the file as empty. The 2 gigabyte would however take 2 gigabyte of your disk, If you would forget the existence of this ADS, you could “lose” 2 gigabyte of your disk and only a reformat would bring back the space.

An NTFS file is made of data streams. The main data stream called $DATA is the file itself and can be opened, read, written or modified by any application. You’ll never see any mention of this data stream. The second type of data stream is called the alternate data stream or ADS. Any kind of information can be stored in an ADS, it will be invisible to the user, The data will never bes een when opening the file, and the file size of the file will never change.

An example of an ADS created by Windows is the Summary Information you can write about a file. A user can create any number of ADS he wants and store whatever information inside.

If I can store hidden information on my own computer ... can’t a hacker or a Trojan Horse program store information or even executable code in ADS? Can’t a joker create a 2GB file on my computer without me finding it out?
Unfortunately, the answer is YES.
Executable can be placed in an ADS, and even executed, without ever touching the main program. You can run an ADS executable true API or command in DOS, explorer.exe:trojan.exe. There’s even a bigger problem, if you check your task manager you’ll see explorer.exe is running and not the Trojan executable ... luckly Microsoft has fixed this in Windows XP.

• What is an alternate data stream (ADS)?
  In NTFS, a file consits of different data streams. One stream holds the security information (access rights and such things), another one holds the "real data" you expect to be in a file. There may be another stream with link information instead of the real data stream, if the file actually is a link. And there may be alternate data streams, holding data the same way the standard data stream does.
• That means a user can hide quite a lot of data in alternate data streams and nobody will know?
  So it is.
• But a user does need certain special priviledges to use alternate data streams?
  No. Even guest can create such streams in every file where he has write access for.
• If I double-click on a file that has an executable stream attached to it, will the stream execute?
  No. The stream can only be executed if called directly - typically this can only be done by a program. You'll never accidently execute a stream.
• Can streams be transferred via a Windows Local Area Network (LAN)?
  Yes, but only if the target is an NTFS drive. This can easily be done simply by copying-and-pasting a stream-hosting file using Windows Explorer.
• Can streams be transferred via email or FTP or other file-transfer protocols?
  No. Stream contents can be transferred via email, FTP etc., but only in the form of a normal file. If you attempt to email a file with any streams attached, only the actual file will be sent - not any of the streams. Virtually all Internet protocols that support file transfer are non-supportive of streams and other embedded file resources as streams are relatively exclusive to Macintosh and Windows NT/2K systems using the NTFS file system.

• Windows NT Supports Multiple Data Streams Inconsistently
• Stream and Hard Link