This tutorial will explore the potential for using ‘Alternate Data Streams’ (ADS) to store information on an NTFS partition. All of the steps detailed below can be accomplished directly from within Windows.
Files act as pointers to physical data on a storage medium; they are a convenience, a way of managing information on a computer as discrete units. It should be this fantastically simple – one pointer for one file – but it seems Microsoft had other ideas…
Macintosh computers use a different file system to Windows computers. It was decided that NTFS should be able to emulate some aspects of the Mac file system to improve file compatibility. As a result, it is possible to ‘attach’ data to a file in a way that is not visible to users (oh dear!).
Getting your hands dirty
- Load up a command-prompt Window (Start->Run->’cmd’).
- Create a file to run this demonstration on. In the console type:
echo Hello, World! > test.txt.
(The file ‘test.txt’ now contains 16 bytes of information. This is the default data stream)
- In the console, enter
type test.txtto show the information in ‘test.txt’.
- Let’s hide some data! In the console type
echo I am hidden! > test.txt:hidden.txt. Notice the colon (:) – this is very important!
- If you repeat step 3, you should only see ‘Hello, World!’ printed to the console. Check the properties of the file using Windows Explorer and you’ll arrive at the same conclusion, the file still contains only 16 bytes. You could even enter in
type test.txt:hidden.txtto try and see the text in ‘hidden.txt’, but it will return an error. Where is the hell has the information you just entered gone?
- To reveal the contents of ‘hidden.txt’, type
more < test.txt:hidden.txtin the console, et voila – the magically disappearing information has made a miraculous reappearance!
- The file ‘hidden.txt’ is now linked with ‘test.txt’. You could say that ‘test.txt’ is acting as a pointer to two data streams. Furthermore, if you copy ‘test.txt’ to another folder – ‘hidden.txt’ is copied with it!
The above is a basic demonstration of how ADS can be used to store hidden information. The article at governmentsecurity.org goes on to explore how an executable could be hidden within a file too. I’ve written a small batch file that attaches a user-defined message to itself (using ADS) and presents it using notepad. To remove the hidden file, you can either try the method suggested at gov.sec. or just delete the batch file itself!
ads_demo.rar – extract and run.