Tweet
A very effective method of hiding data on a Windows system is Alternate Data Streams (ADS). This feature is part of the New Technology File System (NTFS), but since it was introduced it has received little recognition; this makes it both useful for an attacker who is knowledgeable and dangerous for a defender who knows little about it.
This feature was designed to ensure interoperability with the Machintosh Hierarchical File System (HFS), but it has since been used for other purposes. ADS provides the ability to fork or hide file data within existing files, without altering the appearance or behaviour of the target file. In recent versions of Windows the "dir" command with the "/R" switch will reveal files hidden as streams.
Once a file is embedded and hidden using ADS, it can lie in wait until the attacker decides to run it.
This feature was designed to ensure interoperability with the Machintosh Hierarchical File System (HFS), but it has since been used for other purposes. ADS provides the ability to fork or hide file data within existing files, without altering the appearance or behaviour of the target file. In recent versions of Windows the "dir" command with the "/R" switch will reveal files hidden as streams.
Once a file is embedded and hidden using ADS, it can lie in wait until the attacker decides to run it.