Monday, March 26, 2012

Think you have some ADS in your NTFS? You do, Alternate Data Streams (ADS). Here's some ADS information you might not have seen before...

Hexacorn Ltd - Good Alternate Data Streams (ADS)

"While ADS is not widely supported/used by many apps (maybe with the exception of malware :) ), it can be still used for some interesting purposes. In this short article, I describe a few legitimate uses of ADS by Windows that I know of.

If you know some others or if you spot any mistake, please let me know. Thanks.

This post is loosely based on the Microsoft list, but it contains some more details and looks at these streams from a ‘forensic angle’.




Related Past Post XRef:
ADSdotNET – Access NTFS Alternate Data Streams from your managed languages without P/Invoke
Accessing NTFS Alternate Data Streams with C#
HijackThis gets all open. Download the VB6 (yes, VB6) code now...


Stephen Cleary said...

I'm not sure if you've heard this, but the Windows 8 "ReFS" does not support named streams:

Greg Duncan said...

Yep, sure did...

But ReFS is for Windows 8 Server. It's not part of Windows 8 Client at this point and it's going to be a while before it makes that jump (heck in ReFS v1 you can't even boot off it).

But great point, ADS's days might be numbered (assuming ReFS takes off, that ADS isn't added back, yada, yada...)