Re-sharing a 2019 article from @dfir that I just became aware of from @[email protected] -->

Running an executable in an #AlternateDataStream ( #ADS on #NTFS ) resulted in a #prefetch file that is also in an ADS. At that time, parsing tools seemed to miss this prefetch file due to it being in an ADS. #DFIR #windows https://www.binary-zone.com/2019/05/26/creating-a-hidden-prefetch-file-to-bypass-normal-forensic-analysis/

This is interesting behavior. Has anyone observed this in the wild?