Re-sharing a 2019 article from @dfir that I just became aware of from @chadtilbury@twitter.com --> Running an executable in an #AlternateDataStream ( #ADS on #NTFS ) resulted in a #prefetch file that is also in an ADS. #DFIR #windows https://www.binary-zone.com/2019/05/26/creating-a-hidden-prefetch-file-to-bypass-normal-forensic-analysis/

This is interesting behavior. Has anyone observed this in the wild?