The Windows Concept Journey — ADS (Alternate Data Stream)
ADS (Alternate Data Stream) is a feature of NTFS (https://medium.com/@boutnaru/the-windows-concept-journey-ntfs-new-technology-file-system-433e27a2256a) that has been included in Windows in order to provide compatibility with files stored on a Mac file system. By using ADS files that can contain more than one stream of data (there is at least one), the default one is called “:$DATA” (https://owasp.org/www-community/attacks/Windows_alternate_data_stream).
Thus, by leveraging ADS Windows servers can act as file servers for Apple based computers. With the support for multiple streams a Mac user can copy files form/to a Windows server without losing any resource information. By the way, there are also archive/backup software who use ADS to store file revision history (https://blog.netwrix.com/2022/12/16/alternate_data_stream/).
Lastly, by default we accessing a file the mainstream is used as opposed to the other streams -as shown in the diagram below (https://web.archive.org/web/20230424001002/https://www.darknessgate.com/security-tutorials/date-hiding/ntfs-alternate-data-streams/). Also, we can use the “\R” flag of “cmd.exe” (https://medium.com/@boutnaru/the-windows-process-journey-cmd-exe-windows-command-processor-501be17ba81b) or “streams.exe”\”streams64.exe” from the Sysinternals Suite (https://learn.microsoft.com/en-us/sysinternals/downloads/streams) in order to display alternate data streams of the file.
See you in my next writeup ;-) You can follow me on twitter — @boutnaru (https://twitter.com/boutnaru). Also, you can read my other writeups on medium — https://medium.com/@boutnaru. You can find my free eBooks at https://TheLearningJourneyEbooks.com.
