Windows
  • Introduction
  • General
    • Users
    • SAM database
  • Filesystem
    • NTFS
    • Finding files
  • Services
    • sc
  • Registry
    • reg
  • Registry Editor (GUI)
  • Access control & Permissions
    • icacls
  • User Account Control (UAC)
  • Powershell
    • Get-ChildItem
    • whoami
  • 🔍Active Directory (AD)
    • Domain Controller (DC)
    • Domain Service (AD DS)
      • Security groups
      • Organizational Units (OUs)
      • Security groups vs OUs
    • Authentication methods
      • Kerberos
      • NetNTLM
Powered by GitBook
On this page
  1. Filesystem

NTFS

New Technology File System (NTFS)

Alternate Data Stream (ADS)

Each file has at least one data stream ($DATA). However, a file can contain more than one data stream — a feature known as Alternate Data Stream (ADS). The concept of ADS is specific to NTFS.

What is $DATA?

In NTFS, a file consists of multiple attributes, where one of them is $DATA, which holds the actual content of a file.

As mentioned earlier, NTFS allows multiple Alternate Data Streams (ADS) to be defined on a file. However, the additional content stored via ADS is hidden by default, and thus does not alter the file's visible size in the file explorer. This feature can be exploited by malicious threat actors to hide malicious content.

Key point to note: File explorer does not display ADS content by default

PreviousSAM databaseNextFinding files

Last updated 4 days ago