Alternate Data Streams Activity

Activity 1: Creating & Viewing ADS with Command Prompt

Context: NTFS allows multiple data streams attached to a single file. The default stream (:$DATA) is what you see in Explorer. Additional named streams are completely invisible to normal directory listings, Explorer, and most applications. In this activity, you will create ADS using the Command Prompt and learn the basic detection command.

C:\Evidence\ADS_Lab

C:\Evidence\ADS_Lab>

Key concepts: The colon (:) separator is what creates the named stream. file.txt:hidden means "the stream named 'hidden' attached to file.txt." The type command pipes data into a stream, and dir /R reveals streams that dir alone cannot see. Explorer never shows ADS — file size does not change.

Activity 2: ADS with PowerShell

Context: PowerShell provides more granular ADS control than CMD. You can create, list, read, and remove individual streams using native cmdlets. Windows also uses ADS internally — the Zone.Identifier stream marks files downloaded from the internet (the "Unblock" checkbox in file properties removes this stream).

PS C:\Evidence\ADS_Lab

PS C:\Evidence\ADS_Lab>

Key concepts: PowerShell's -Stream parameter works with Set-Content, Get-Content, Get-Item, and Remove-Item. The Zone.Identifier ADS is a real-world example of how Windows uses ADS natively — it marks downloads with their origin zone (Internet = ZoneId 3). Unblock-File removes this stream.

Activity 3: Sysinternals Streams Utility

Context: Microsoft's Sysinternals streams.exe is a dedicated tool for enumerating and deleting ADS across entire directory trees. It is far more efficient than manually running dir /R or PowerShell on hundreds of files. This is the tool forensic analysts use when scanning an entire evidence drive.

C:\Evidence\ADS_Lab

C:\Evidence\ADS_Lab>

Key concepts: streams.exe -s recurses into subdirectories. The -d flag deletes all ADS (use with caution on evidence — document first!). Sysinternals tools are free from Microsoft and accepted in forensic practice. Always run streams on a forensic copy, never the original evidence.

Activity 4: Forensic ADS Investigation

Scenario: During an insider threat investigation, a departing employee's workstation was imaged. Preliminary analysis found no obvious contraband. However, several files in their Documents folder have unexplained size discrepancies. Walk through a systematic ADS investigation using multiple tools.

C:\ForensicImage\Users\jdoe\Documents

C:\ForensicImage\Users\jdoe\Documents>

Forensic reminder: ADS do not survive transfer to non-NTFS file systems. If evidence is copied to FAT32, exFAT, cloud storage, or emailed — all streams are silently stripped. Always analyze ADS on the original NTFS volume or a forensic image mounted with NTFS support. FTK Imager and Autopsy display ADS natively when browsing mounted NTFS images.