Heya everyone,

I was sitting in on my hardware/software class today and somehow we all got onto the topic of alternate data streams, an interesting feature that makes you say "cool" and "omfg" at the same time. This was the first time I'd heard of alternate data streams, so I thought I'd share what I learned today.

Alternate data streams were created with the Windows NT architecture, and meant to bridge a gap between Windows and Macintosh file systems. Windows, as you know, started using NTFS with the introduction of Windows NT, while Macintosh uses a hierarchal file system. A file on a Mac can use what is called a "fork", which is a form of alternate data paths. A "fork" can be thought of much like a fork in a road. One side of the fork stores actual data inside a file, while the other side of the fork is used to store information about the file itself. Alternate data streams, in a Windows environment, are very similar and resemble the functionality of META data.

Any file under the NT file system, or even a folder, can contain ADSs. But ADSs can only exist in a purely NTFS environment, where once it is introduced into a FAT32 or older file system, the alternate data streams are striped off and the file returns to its normal self. In this regard, alternate data paths are useful in storing virtually permanent data about a file, no matter how you copy or move it.

An aspect that is to be concerned with ADSs is malicious code and viruses. With the ability to literally "attach" an entire executable to any type of file is enough make me think completely different about downloading files from the net. In my class today, one of the teachers demonstrated how she took the simple calculator program in windows and attached an .avi file to the calc.exe as an ADS. From a view standpoint, the .avi file was undetectable through file properties... and the calc.exe still displayed 112Kb file size, although it now occupied over 250Mb on disk!

Alternate data streams are fairly difficult to detect, depending on how you go about it. There are a number of Alternate Data Stream detection utilities available for free, including the one we used today called LADS. LADS can be used to scan an entire PC to detect the presence of ADSs. An alternate data stream that is actually running can possibly be detected by using Task Manager, looking for a process that is proceed by ":filename.exe"... and the colon is key! Many anti-spyware/anti-malware/anti-virus programs currently scan for malicious alternate data streams.

I quickly searched the forums here, and didn't find anything on alternate data streams, so I decided to inform y'all on what I know. Pretty interesting stuff, but kinda scary too

That is pretty interesting. Just another one of those things Microsoft thought would be cool, before anyone realised security was paramount as the Internet grew and more people got connected.

Those are the viruses that you didnt have back in the classic 98 days.

I love FAT Filesystems.

NTFS is nice if you really need security, but who wants to secure 400k files per different users and groups? FAT32 was actually more secure due to you either locked the PC from the logon (NT workstation, Windows for Workgroups) or you just had dial up and were only connected to the internet when you used it.

I never had a virus till i got cable, and i downloaded my share of items online.


We learned about ADS in my intro to IT class, that i tested out of in twoo weeks being there. I also learned about that in my vo-tech, when the symantec guy came in and did a presentation....lame....we got norton for one year for free though, enterprise edition, too bad it is a bigger resource hog than windows.

Anyhow, nice write up, +rep for the effort man, always nice to have the info there to help others learn.

EDIT:I gotta spread it but youll see it soon