AlternateStreamView – Tool to Investigate ADS File System

NTFS system has a feature that allows you to add multiple streams in addition to the main file stream. When you open or view the file, only the main file stream is visible, while other additional streams are hidden from the user. If you are looking to investigate Alternate Data Streams, ADS you can check AlternateStreamView.

AlternateStreamView is a small utility that allows you to scan your NTFS drive, and find all hidden alternate streams stored in the file system.

AlternateStreamView – Tool to investigate ADS File System

Here’s 3 examples of alternate streams usage in Windows operating system:

  1. Favorites of Internet Explorer: When You add a Web site link into your ‘Favorites’, a .url file containing the url and description is created. However, if the Web site also have an icon (favicon), the icon is saved as alternate stream for the same url file. The stream name of the icon is :favicon:$DATA
  2. Downloaded files of Internet Explorer: When you download and save a file with Internet Explorer, it automatically add a zone information for the saved file. This zone information is used for identifying the file as downloaded file from the Internet. The stream name in this case is :Zone.Identifier:$DATA
  3. Summary information of files: When you right-click on a file in Explorer and go to the ‘Summary’ tab, you can add summary information for the file, like title, subject, author, and so on. This summary information is also saved into alternate stream. The stream name in this case is SummaryInformation:$DATA.

In addition to the legitimate usage of alternate streams, this technique may also be used by Viruses/Trojans/Spywares for saving data and hiding it from the user.

You can read more and download this tool over here: