Alternate Data Streams (ADS)
In a NTFS file system, files can have multiple streams with extra data
Normally, the content of a file is stored in the $Data stream of a file. But you can create alternate streams on the same file with different content. This can be useful for hiding some data and might be used by malware to make its payloads less obvious. However, if you know what you're looking for these can be very easily found.
PowerShell
The easiest way to find files with alternate data streams is to run a PowerShell command like the following, which will recursively search the current directory for any streams that are not $Data.
If you find any interesting names, you can extract their content with another PowerShell command:
If you want to set the content of ADS, you can do so using the Set-Content command:
Legitimate uses
There is a reason this feature exists, and you may find streams that are not meant to be hidden for malware or secrets. Here are a few real-world uses that you might come across.
Zone.Identifier
This is the most common ADS which comes from downloading files. You might have experienced those warnings that Windows Defender gives when you try to run a program you just downloaded from the internet. Windows Defender knows this because every downloaded file will include this Zone.Identifier stream which tells it where the file comes from. There are 5 different zones with varying levels of trust:
Local Intranet Zone
Trusted Sites Zone
Internet Zone
Restricted Sites Zone
Local Machine Zone
The most common is 3. Internet Zone for files downloaded from the internet. The content of this stream might look like this:
Last updated