Finding alternate data streams with AlternateStreamView
NTFS system has a feature that allows to add multiple streams in addition to the main file stream. When you open or view the file, only the main file stream is visible, while other additional streams are hidden from the user.
Here's 3 examples of alternate streams usage in Windows operating system:
- Favorites of Internet Explorer: When You add a Web site link into your 'Favorites', a .url file containing the url and description is created. However, if the Web site also have an icon (favicon), the icon is saved as alternate stream for the same url file. The stream name of the icon is :favicon:$DATA
- Downloaded files of Internet Explorer: When you download and save a file with Internet Explorer, it automatically add a zone information for the saved file. This zone information is used for identifying the file as downloaded file from the Internet. The stream name in this case is :Zone.Identifier:$DATA
- Summary information of files: When you right-click on a file in Explorer and go to the 'Summary' tab, you can add summary information for the file, like title, subject, author, and so on. This summary information is also saved into alternate stream. The stream name in this case is SummaryInformation:$DATA.
In addition to the legitimate usage of alternate streams, this technique may also be used by Viruses/Trojans/Spywares for saving data and hiding it from the user.
AlternateStreamView is a new GUI tool that allows you to easily scan your NTFS drive, and find all hidden alternate streams stored in the file system. After scanning and finding the alternate streams, you can extract these streams into the specified folder, delete unwanted streams, or save the streams list into text/html/csv/xml file.
For more information and download link, click here