ADS

5/1/2004

Alternate Data Streams (ADS) are a feature of the NTFS file system available with Windows NT, 2000 and XP. ADS provides a means to associate supplemental information with a visible file. The intent of ADS was to support Macintosh HFS file systems which incorporate a feature called Resource Forking that is used to store specialized information with regard to a file (e.g. file specific icons, or thumbnail images associated with full size images). NTFS ADS files are simply additional, hidden, files associated with a file or directory. ADS files have no access rights of their own. They inherit their access rights from the file that they are associated with.

In addition to the intended uses, ADS can be used to hide data/files -- which is not necessarily an especially good idea for most users most of the time. The hidden files are not reported by most conventional utilities. Windows tools are inconsistent in their handling of ADS files. For example DIR ignores them, but TYPE will list their content. Special utilities that are intended to detect ADS files do not always succeed if the ADS files are appended to something other than an existing visible file -- for example to a directory. This may be ameliorated in future Windows releases

ADS files are somewhat similar in intent to Windows metafiles. ADS files are not the same as Windows metafiles which are prefixed with a $ and are also hidden in many contexts. Windows meta files are used by the Windows XP operating system to store OS specific information. Syntactically, metafiles start with a $. ADS file names are prefixed with a file name (the associated file name) followed by a colon -- e.g. C:\ASSOCIATED_FILE:HIDDEN_ADS_FILE.TXT. ADS files are preserved in copies/moves of the associated files between/within NTFS systems. The files are lost in a copy/move to a file system such as FAT (e.g. a floppy) that does not support ADS files.

Some analysts have some reservations about the wisdom of Windows ability to carry along hidden files -- possibly executable -- attached to crtitical system files. The concern seems to be that difficult to detect and remove malware might use this feature.

Return To Index Copyright 1994-2002 by Donald Kenney.