Finding ADS on NTFS

ADS (Alternate Data Streams) is a “feature” of the NTFS (file system used on Windows 2000, XP, etc) that permit files to be completely hidden from the system. You can read more about ADS in these two links: windowsecurity.com ADS and lads.

Currently I am working on merging rootcheck (an anomaly detection module) to Windows and one of the things it needs to detect is hidden files using NTFS ADS. However, so far, I couldn’t find any open source tool that detects them (yes, there is freeware programs out there, but no source code). Most of the articles I read point to lads, which is free, but not open source.

So, to fill this gap, I am releasing a beta version of a small tool (ads_dump) that scans a given directory and prints every ADS found. It is a standalone tool, but it will be soon included into ossec.

You can download it from here and the source code (GPL v2) from here.

Using this tool is very simple, just execute it and pass as an argument the directory to scan. It is going to print every ADS found. Example:

C:>ads_dump.exe
ads_dump.exe dir

C:>echo hidden > C:temp/a:hidden
C:>echo hidden > C:temp/a:hidden2
C:>ads_dump.exe C:temp
Found NTFS ADS: 'C:tempa:b'
Found NTFS ADS: 'C:tempa:hidden'
Found NTFS ADS: 'C:tempa:hidden2'

*Please note that it is still in beta (comments and suggestions are welcome). It will be also be included on the next version of ossec as part of the Windows anomaly detection module.

Leave a Reply

Your email address will not be published. Required fields are marked *