Step-by-Step: Scanning NTFS ADS with Marx Alternate Data Streams Viewer

Marx ADS Viewer — Detecting Malware in NTFS Alternate Data Streams

Alternate Data Streams (ADS) are an NTFS feature that lets files carry hidden streams of data alongside their primary content. Malware authors sometimes abuse ADS to conceal payloads, configuration files, or exfiltrated data. Marx ADS Viewer is a tool designed to locate, inspect, and extract ADS on NTFS volumes. This article explains how ADS can be abused, how Marx ADS Viewer helps detect malicious activity, and a practical workflow for using the tool in incident response.

What are NTFS Alternate Data Streams (ADS)?

• Definition: ADS are named streams attached to a file (filename:streamname) on NTFS; the default unnamed stream remains the file’s visible content.
• Legitimate uses: storing metadata, thumbnails, or compatibility information.
• Abuse cases: hiding scripts, executables, stolen data, or persistence mechanisms to evade casual inspection and naive antivirus scanning.

Why ADS matter for malware detection

• ADS can hide executable content that doesn’t appear in directory listings or standard file-size checks.
• Forensic artifacts (timestamps, stream names) often reveal suspicious activity.
• Automated scanners may miss ADS unless they explicitly enumerate streams.

Key features of Marx ADS Viewer

• Recursively enumerates ADS across directories or entire volumes.
• Displays stream names, sizes, timestamps, and parent file paths.
• Provides content preview and extraction for further analysis.
• Filters by size, date range, or suspicious stream name patterns.
• Exports findings as CSV or JSON for reporting and SIEM ingestion.

Practical detection workflow with Marx ADS Viewer

1. Scope and preparation
   • Run from an account with read access to the target volume.
   • Prefer a live-forensics workstation or a forensic image to avoid altering timestamps.
2. Initial scan
   • Run a recursive scan of the target directory or volume to gather all ADS entries.
   • Save the raw output (CSV/JSON) for review and chain-of-custody.
3. Prioritize suspicious streams
   • Filter results for streams with nonzero size, executable file headers (MZ), scripting headers (#!, <?xml, ), or unusual stream names (e.g., :_hidden, :Zone.Identifier-like variants).
   • Sort by recent modification timestamps to surface recent activity.
4. Inspect content
   • Use the viewer’s preview to check textual content; extract binaries to a controlled analysis system.
   • For binaries, compute hashes (SHA256) and query malware databases or internal indicators.
5. Contextual correlation
   • Correlate ADS findings with process execution logs, scheduled tasks, autoruns, and network connections.
   • Check parent file ownership and creation/modification patterns for suspicious combinations (e.g., system32 parent with user-owned ADS).
6. Containment and remediation
   • If malicious content is confirmed, remove or quarantine the ADS and related artifacts.
   • Remediate persistence (scheduled tasks, services, registry) and perform endpoint scans.
7. Reporting
   • Export the Marx ADS Viewer report and include extracted-file hashes, timeline, and recommended remediation steps for stakeholders.

Indicators of compromise to look for

• Streams containing PE headers (bytes “MZ”) or shell scripts.
• Streams with base64-encoded content or long binary blobs in files that should be text.
• Numerous ADS entries on system folders (Windows\System32) or user document folders with no legitimate reason.
• Stream names that mimic system metadata (Zone.Identifier, com.apple.quarantine-like names) but with unusual content.
• Recent timestamps on ADS belonging to long-standing files.

Example commands and checks (conceptual)

• Recursive scan: run Marx ADS Viewer on C:\ with CSV export.
• Filter large streams: sort CSV by stream size descending.
• Extract suspicious stream: export stream to isolated analysis VM, compute SHA256, submit to malware scanners.

Best practices

• Include ADS enumeration in routine endpoint scans and forensic playbooks.
• Train analysts to check for ADS when investigating odd persistence or unexplained files.
• Retain exported ADS evidence and maintain chain-of-custody.
• Combine Marx ADS Viewer results with other telemetry (EDR, network logs) for confident attribution.

Limitations and cautions

• Scanning live systems can modify timestamps; prefer images when possible.
• ADS presence alone doesn’t prove maliciousness—context and content analysis are required.
• Handle extracted binaries in isolated environments to avoid accidental execution.

Conclusion

Marx ADS Viewer is a practical addition to an analyst’s toolkit for surfacing hidden NTFS Alternate Data Streams that may harbor malicious payloads. By systematically scanning, prioritizing, extracting, and correlating ADS artifacts, responders can uncover stealthy malware and remove covert persistence mechanisms effectively.