How can you find the size of a file on an NTFS drive? Sounds easy enough – just right-click and select Properties – but that will only provide the size of the file’s main data stream. Under NTFS, files may also have additional streams, which can be of any size (even larger than the main data stream), yet they’re not mentioned at all in the Explorer properties dialog.
While this may sound odd, it can be useful, and there are plenty of legitimate uses for alternate data streams (ADS). Create a favourite in Internet Explorer and the browser will store the site’s icon (if available) in the resulting shortcut, for instance. And IE also uses ADS to tag files as having been downloaded from the internet, which can be very valuable information in some circumstances.
Unfortunately malware will sometimes also use the hidden nature of ADS to store its content, though. Any decent antivirus package will understand this already and scan streams for threats, but it can still be useful to manually examine your system occasionally, just to check for oddities your regular security software might have missed. And Nirsoft’s AlternateStreamView provides a very quick and easy way to get started.
As usual with Nirsoft tools, AlternateStreamView is both tiny (a 35KB executable) and portable, which means there’s no installation required: just download, unzip and go.
And operating the program is almost as straightforward, at least initially. Point the program at the drive you’d like to check, click Scan, then wait for a minute or two as your system is checked (it’s fast, the process probably won’t take long).
When it’s finished you’ll have a (probably) lengthy report listing all the ADS found on your specified drive. The Stream Name listed here will give you some clue as to what each stream is for; “favicon” is the icon stored in an internet shortcut, for instance, and “Zone.Identifier” is the IE marker that tells you a file was downloaded from the web. And you may have others which belong to applications you’ve installed (we found a “Roxio EMC Stream” on a test PC, for example.)
Spotting which of these might be dangerous is more of a challenge, unfortunately: you’ll need to look for streams in files which don’t belong, perhaps (though not necessarily) with an odd stream name, and maybe a surprisingly large stream size.
If you do find something which looks suspicious then you can export streams as a file to examine their contents, or even delete selected streams entirely. Though you should be careful before you wipe away too much: if a program is legitimately storing configuration information in streams then deleting it all without warning may cause problems.
Perhaps the best idea, however, is simply to use AlternateStreamView’s reporting features to save the details of all the streams it’s found this time (right-click, select HTML Report – All Items). You’ll then have a baseline showing the streams that exist on your PC normally, and will be better able to spot new streams which might arrive in future.