Home

NTFS has a feature, similar to Macintosh resource forks, ie a area of the file that is associated but separate.  However, it is largely invisible to all users.

One significant interest will be for forensic investigators as the alternate data stream (ADS) can be used to hide data, in a way that it will not be visible to standard tools.

The way that the ADS works internally on NTFS disks is fairly simple, and all contained within the MFT structure.

00000000   46 49 4C 45 30 00 03 00 - 81 BB 20 00 00 00 00 00    FILE0  ��     

00000010   06 00 01 00 38 00 01 00 - 00 02 00 00 00 04 00 00    
8
      

00000020   00 00 00 00 00 00 00 00 - 07 00 00 00 28 00 00 00               (  

00000030   0C 00 47 11 00 00 00 00 - 10 00 00 00 60 00 00 00      G       `  

00000040   00 00 00 00 00 00 00 00 - 48 00 00 00 18 00 00 00            H     

00000050   AC C1 CF BF 9E FE CB 01 - D4 7A 13 B3 A0 FE CB 01    ��Ͽ���
�z����

00000060   DD 68 26 26 A1 FE CB 01 - AC C1 CF BF 9E FE CB 01    �h&&���
��Ͽ���

00000070   20 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00                   

00000080   00 00 00 00 08 01 00 00 - 00 00 00 00 00 00 00 00        
         

00000090   40 26 00 00 00 00 00 00 - 30 00 00 00 70 00 00 00    @&      0   p  

000000A0   00 00 00 00 00 00 02 00 - 54 00 00 00 18 00 01 00           T   

000000B0   05 00 00 00 00 00 05 00 - AC C1 CF BF 9E FE CB 01          ��Ͽ���

000000C0   AC C1 CF BF 9E FE CB 01 - AC C1 CF BF 9E FE CB 01    ��Ͽ���
��Ͽ���

000000D0   AC C1 CF BF 9E FE CB 01 - 00 00 00 00 00 00 00 00    ��Ͽ���
       

000000E0   00 00 00 00 00 00 00 00 - 20 00 00 00 00 00 00 00                   

000000F0   09 03 68 00 65 00 6C 00 - 6C 00 6F 00 2E 00 74 00     h e l l o . t

00000100   78 00 74 00 00 00 00 00 - 80 00 00 00 40 00 00 00    x t     �   @  

00000110   00 00 18 00 00 00 04 00 - 28 00 00 00 18 00 00 00          (     

00000120   54 68 69 73 20 69 73 20 - 76 69 73 69 62 6C 65 20    This is visible

00000130   74 65 78 74 2C 20 62 75 - 74 20 6E 6F 74 20 74 6F    text, but not to

00000140   6F 20 6C 6F 6E 67 0D 0A - 80 00 00 00 58 00 00 00    o long  �   X  

00000150   01 06 40 00 00 00 05 00 - 00 00 00 00 00 00 00 00   
@           

00000160   00 00 00 00 00 00 00 00 - 50 00 00 00 00 00 00 00            P      

00000170   00 10 00 00 00 00 00 00 - 11 00 00 00 00 00 00 00                 

00000180   11 00 00 00 00 00 00 00 - 68 00 69 00 64 00 64 00           h i d d

00000190   65 00 6E 00 00 00 00 00 - 11 01 25 00 A0 F8 FF FF    e n     
% ����

000001A0   80 00 00 00 58 00 00 00 - 01 07 40 00 00 00 06 00    �   X  
@   

000001B0   00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00                   

000001C0   50 00 00 00 00 00 00 00 - 00 10 00 00 00 00 00 00    P             

000001D0   1A 00 00 00 00 00 00 00 - 1A 00 00 00 00 00 00 00                 

000001E0   68 00 69 00 64 00 64 00 - 65 00 6E 00 32 00 00 00    h i d d e n 2  

000001F0   11 01 23 00 80 FA FF FF - FF FF FF FF 82 79 0C 00    
# ���������y 

The MFT above shows a file with 2 ADS in addition to the main, resident data.  The standard data run is at location 0x108 and actually contains a string of resident data.  If viewed in Windows, the file will look like a 24 (0x18) byte file with the data "This visible text, but not too long".  NB the principle is identical for both resident and non resident data.

The next two data runs at location 0x148 and 0x1a0  have streams named, hidden' and 'hidden2'.  The lengths of the data is 0x11 and 0x1a bytes, but in these cases the data is not resident, as indicated by the 0x1 in bytes 0x151 and 0x1a8.

CnW will produce 3 files from this MFT named as below

       hello.txt                40 bytes long

       hello.txt-#-hidden        17 bytes

       hello.txt-#-hidden2        26 bytes