ADS & Python Tools, (Sat, Jun 21st)

(520) 462-0516

[ADS -& Python Tools](/forums/diary/ADS+Python+Tools/32058/)============================================================* * [](http://www.facebook.com/sharer.php?u=https%3A%2F%2Fisc.sans.edu%2Fforums%2Fdiary%2F32058 ‘Share on Facebook’)* [](http://twitter.com/share?text=ADS%20%26%20Python%20Tools&url=https%3A%2F%2Fisc.sans.edu%2Fforums%2Fdiary%2F32058&via=SANS_ISC ‘Share on Twitter’) **Published** : 2025-06-21. **Last Updated** : 2025-06-21 10:13:41 UTC **by** [Didier Stevens](/handler_list.html#didier-stevens) (Version: 1) [0 comment(s)](/diary/ADS+Python+Tools/32058/#comments) Ehsaan Mavani talks about Alternate Data Streams (ADS) in diary entry ‘[Alternate Data Streams ? Adversary Defense Evasion and Detection -[Guest Diary-]](https://isc.sans.edu/diary/Alternate+Data+Streams+Adversary+Defense+Evasion+and+Detection+Guest+Diary/31990/)’.I’m taking this as an opportunity to remind you that Python tools on Windows and an NTFS disk, can access alternate data streams.Like my tool [cut-bytes.py](https://github.com/DidierStevens/DidierStevensSuite/blob/master/cut-bytes.py), here I use it to show the content of the Mark-of-the-Web stored inside the Zone.Identifier ADS:![](https://isc.sans.edu/diaryimages/images/20250621-113910.png)You just need to type a colon (:) followed by the ADS name after the filename.I didn’t have to code this in Python for Windows, it’s default behavior.I did code ADS features in my [FileScanner tool](https://blog.didierstevens.com/programs/filescanner/). It’s not written in Python, but in C for Windows, and I coded features to enumerate and scan alternate data streams.If you give it a file to scan, it will scan the file content, and also the content of all of its alternate data streams. Like with this download with a MotW:![](https://isc.sans.edu/diaryimages/images/20250621-113931.png)![](https://isc.sans.edu/diaryimages/images/20250621-113952.png)And if you give it a folder or a drive to scan, it will also enumerate and scan all alternate data streams.Didier Stevens Senior handler [blog.DidierStevens.com](http://blog.DidierStevens.com) Keywords:[0 comment(s)](/diary/ADS+Python+Tools/32058/#comments)

Related Tags:
NAICS: 541 – Professional

Scientific

Technical Services

NAICS: 518 – Computing Infrastructure Providers

Data Processing

Web Hosting

Related Services

NAICS: 51 – Information

Blog: SANS Internet Storm Center

Command and Scripting Interpreter: Python

Command and Scripting Interpreter

Associated Indicators:

Threat Intel Solutions

ADS & Python Tools, (Sat, Jun 21st)

Search

Popular Posts

Dangerous runC flaws could allow hackers to escape Docker containers

Lost iPhone? Don’t fall for phishing texts saying it was found

NAKIVO Introduces v11.1 with Upgraded Disaster Recovery and MSP Features

Categories

Pages

Archives

Tags

Follow Us