ADS (Active data stream) is a way you can store data about a file without Windows to see it usually.
ADS is a feature of the Windows New Technology File System (NTFS) that, surprisingly, has both good and bad aspects.

Alternate Data Stream is a little-known feature of the NTFS file system. It can fork data into an existing file without changing its file size or functionality.

Think of ADS as a ‘file inside another file. Microsoft came out with NTFS during the time of Windows NT, and at that time, they had some ideas of what the future windows would be. Practically It did not work out, and ADS was a feature that was supposed to be used in the windows of the future never really made it to market and remained in the codebase.
Currently, all Windows Operating Systems, including the latest Windows 10 OS, supports the ADS feature.

So what can you do with ADS?

ADS allows you to store text, audio, video images and even viruses and trojans.
ADS contains metadata for identifying files according to various attributes, such as author, title, date modified, and more.
Furthermore, as long as the data does not go to any Other type of file structure like FAT or REFS, the ADS data gets copied when you copy from file from one NTFS location to another.

Now that we know what ADS does, what are the benefits of using ADS.

BENEFITS OF ADS

Windows Resource Manager leverages ADS to identify high-risk files that should not be accessed.
Windows operating system uses ADS to encrypt and store files in a secure manner.
The SQL Database server uses ADS to maintain database integrity
Citrix’s virtual memory uses ADS to boost DLL loading speed.
Anti-virus applications, such as Kaspersky use ADS to enhance the scanning of files.

How to Create an ADS

Creating an ADS is not rocket science. Basic DOS commands like type can be used, in conjunction with the [ > ] redirect symbol and [: ] colon symbol, to fork a file into another file.

Let’s demonstrate the steps of using ADS to hide information in a file.
Step 1: Open the terminal and create a text file
C:> echo Today is going to be a great day > file1.txt
This command saves the given string to a text file called file1.txt
Step 2: Confirm the contents of the file
Let’s now confirm the contents of the file by using the type command, as shown below.

type file1.txt

Today is going to be a great day.

Step 3: Append new content to the hidden file
echo The sun is all up, and the coast is clear > file1.txt:hidden
It appears that we have created a new file called file1.txt:hidden, which is not the case.
We have just created an Alternate Data Stream within the file1.txt file under the name ‘hidden’.
The file named file1.txt:hidden does not exist.
If we try to examine its contents, the Windows prompt will return an error, as illustrated below.
C:> type file1.txt:hidden
The filename, directory name or volume label syntax is incorrect

However, we can reveal the contents of the file, as shown below.
C:> more < file1.txt:hidden
The sun is all up and the coast is clear

Here are three interesting points to note about the last directory listing.
The timestamp has changed after adding the Alternate Data Stream file to the existing file. That is the only indication that a change has indeed happened.
The file size remains unchanged, as evidenced by the prefix 36 in file1.txt when checking the directory listing. This implies that you could have many ADS files within a file without your knowledge.
Because of the subtle changes, it’s challenging to detect Alternate Data Stream files unless you use a third-party tool.

RISKS ASSOCIATED WITH ALTERNATE DATA STREAMS

Alternate Data Streams enables information to be hidden within other files. As such, it can be a security risk.
An attacker can easily store malicious codes or payloads and use them to cause damages to your system.
Let’s consider this example.
c:> type c:\windows\system32\calc.exe > file1.txt:calc.exe
The above command copies the Windows calculator program into an ADS file called calc.exe, which is linked to file1.txt.
To launch the hidden calc.exe copy from its ADS in file1.txt, an attacker can run the following command.
c:>start c:\file1.txt:calc.exe
Now, suppose that was not a calc.exe file but destructive malware. It could lead to extensive damages to your system.

CONCLUSION

The greatest challenge with Alternate Data Streams is that, if used for nefarious purposes, they are challenging to detect unless you use third-party applications.
Additionally, ADS cannot be disabled.
Therefore, it’s critical to institute robust measures to prevent its abuse.

• Prevent Unauthorized Access to Sensitive Windows Folders
• No more unauthorised access to sensitive data
• No more unclear permission assignments
• No more unsafe data
• No more security leaks