Home Screenshots | About NTFS Streams | Test your Antivirus | Howto | NTFS Streams on Sourceforge | Download

NTFS-Streams: ADS manipulation tool

Discover hidden files (which you never seen before!) in Windows

NTFS ADS Tool is an utility to reveal, list, delete, show contents, extract/copy hidden files from NTFS Alternate Data Streams.





Windows Rootkits can hide any files but not from this utility!
Here Rustock driver lzx32.sys attached at C:\WINDOWS\system32 folder:


Special, unprintable and national characters shown correctly if locale and fonts properly installed (default on most distributions).


 

Features: Information about every stream:
Informationcomment
drive/partition*nix notation (/dev/hda or /dev/sda)
file name 
sizeBytes
contents of the streamdetermined by the file command (stat + magic number test)
last access date/timeatime
last modification date/timemtime

read more about Alternate Data Streams:

http://www.heysoft.de/nt/ntfs-ads.htm Home of LADS
http://technet.microsoft.com/en-us/sysinternals/bb897440.aspx Home of STREAMS.EXE

Comparison of Software to list/delete ADS

feature\programstreams (sysinternals/msft)ladsntfs-ads
list
delete all streams
delete individual streams
copy/extract
determine contents
show atime
show mtime
cannot be cheated by windows rootkits?
no change atime?
show national characters correctly? (üöäøщξ) *
open source?**
* locale and fonts should be installed
** sources were closed after sysinternals was bought by MSFT

Test (without risk of infection) if your Antivirus Software can detect ADS

  1. go to http://en.wikipedia.org/wiki/EICAR_test_file and read about EICAR test virus.
  2. open cmd.exe and execute

    echo X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H* > c:\test.txt:eicar.com


  3. check drive C: with your Antivirus software

Rustock B is not active, but ClamWin cannot detect the Rustocks driver in Alternate Data Streams:




ntfs-ads based on: GNU/Linux, ntfs-3g, xattr, zenity
tested on ubuntu 8.04, kubuntu 8.04, xubuntu 8.04, knoppix 5.3 DVD

SourceForge.net Logo