LADS is a tool developed by Frank Heyne. It lists all Alternate Data Streams (ADS) of an NTFS directory. It shows the ADS of encrypted files, even when these files were encrypted with another copy of Windows.
Download link: http://www.heysoft.de/download/lads.zip
Usage: LADS [Directory] [/S] [/D] [/A] [/Xname]
- include Subdirectories
- Debug LADS
- Verbose error reports
- give a summary of All bytes used in the scanned directories (All files and directories are considered as uncompressed and all security decriptions are skipped for calculating this number!)
- eXclude any ADS "name"
- read Parameters from "file"
Let's create 3 streams in a text file as follows:
C:\malware>echo hidden text > test.txt:hidden.txt C:\malware>type res\test.exe > test.txt:hidden.exe C:\malware>type res\test.png > test.txt:hidden.png
LADS successfully detected the streams:
C:\malware>\tools\lads.exe LADS - Freeware version 4.10 (C) Copyright 1998-2007 Frank Heyne Software (http://www.heysoft.de) This program lists files with alternate data streams (ADS) Use LADS on your own risk! Scanning directory C:\malware\ size ADS in file ---------- --------------------------------- 32768 C:\malware\test.txt:hidden.exe 988061 C:\malware\test.txt:hidden.png 14 C:\malware\test.txt:hidden.txt 1020843 bytes in 3 ADS listed