Permanent Link: [Article]-Alternate Data Streams (ADS): Hiding In Plain Site

Offer your thoughts and experiences,
Don

PS - ADS is covered in many of the ethical hacking certification exams. This is a good introductory article that shows you exactly how it works.

ADS was originally created for compatability with Macs. Macs by nature don't have file extensions in the file name. The data that tells a Mac the file association was held in a seperate "fork" of the file as opposed to the file name itself. This has been changes since Mac OSX, but ADS has taken on additional duties for Windows such as the Summary feature. Google for more details.

As with most things, hackers find a unique way of making a feature do something it was not initially meant to do. This is not a bad thing. But "crackers" do the same thing for bad purposes. Thus the difference between a hacker and a cracker (just threw that in for those about to take a cert exam).

Hope this helps,
Don

PS - digg this story!

Great work, Brian! 

It's a fun topic and am glad you brought me in on the project.   

I know alot of other programs now use ADS. I think the "Thumbs.db" file uses ADS It's used for picture icons in windows folders also some PDF's use the ADS file space. I am unaware of anyway to disable ADS but if you convert your file system to FAT32 you will drop all ADS streams from the drive. I guess if you had a lot of spare time on your hands you could convert your drive to FAT32 and then convert it back to NTFS to kill all the ADS streams. There are tools freely avaible on the net to find and ID ADS streams on you harddrvie. I like using a tool called LNS.exe (http://ntsecurity.nu/toolbox/lns/) it free and is command line driven so it's very light weight to use and works very fast.

Brian