I-Space Research Labs

NTFS Alternate Data Streams

There’s a little known feature in the NTFS file system called alternate data streams. Originally, it was intended to help support Mac users who access NTFS volumes. AppleFS uses a forked data structure, with the main data stream on one fork, and a resource stream in the other. Windows, on the other hand, uses the file extension to determine what resource is needed to open a paricular file. Since MS wanted to support Mac users (probably to help them migrate from Mac to Windows), the inclusion of Alternate Data Streams was built in to the filesystem. Another use for ADS is to store “out of band” data. Some applications, such as Office2000 will use ADS to store information such as revision numbers, authors, etc… if you right click on a Word2000 document stored on an NTFS filesystem and hit Properties, you’ll see ADS in action.

Now, there are a few pecularities about ADS that make it useful for more nefarious things. First is that the filesystem doesn’t report that the file containing the stream has changed in size. Depending on how you’re looking at the drive at the time, you might not even see the overall free space available going down either. Second, you have to know the exact name of the stream(s) to access it (or them). you can attach more than one alternate data stream to an NTFS file. Third, there is no way, short of third party utilities, to detect whether a file has an ADS attached to it. Third, since utilities like MD5sum will only look at the main $DATA stream, the MD5 hash of the file remains unchanged as long as you don’t change any of the data in the main stream. Add all the alternate streams you want, and you’ll always get the same file hash- thereby tricking Tripewire and other file integrity scanners

So what’s it all mean? Treat an ADS like a file that is invisible. Get the idea now?
The syntax for using data streams is &ltfile name>:&ltstream name> If I had a file called FILE and wanted to dump the contests of secret.txt into an ADS attached to FILE called nosecrethere, I would do: type secret.txt &gtFILE:nosecrethere

Your data is now hidden. Want to see it? more &ltFILE:nosecrethere

Want to see a fully working example? here goes.
Remeber, this only works on NTFS volumes….
First, we create a small file:
H:\toolz&gtcopy con testfile
I am a test file
^Z
1 file(s) copied.

Now we’ll check the size of our newly created file
H:\toolz&gtdir
Volume in drive H is New Volume
Volume Serial Number is 1478-A72F

Directory of H:\toolz
07/25/2002 11:34a &ltDIR> .
07/25/2002 11:34a &ltDIR> ..
07/25/2002 11:34a 18 testfile
1 File(s) 18 bytes
2 Dir(s) 35,479,588,864 bytes free

18 bytes. We’ll verify that all that is in the file is what was typed previously
H:\toolz&gttype testfile
I am a test file

Now I’ll throw some hidden data into the file
H:\toolz&gtecho “I am hidden text” &gttestfile:hidden

Verify that the Explorer and the Command Interpreter doesn’t recognize hidden data
H:\toolz&gtdir
Volume in drive H is New Volume
Volume Serial Number is 1478-A72F

Directory of H:\toolz

07/25/2002 11:34a &ltDIR> .
07/25/2002 11:34a &ltDIR> ..
07/25/2002 11:34a 18 testfile
1 File(s) 18 bytes
2 Dir(s) 35,479,588,864 bytes free

File STILL hows it’s 18 bytes long, but we just added another 18 bytes of data to it!! This file should show to be twice the size than what is being displayed.
Now we’ll verify the contents of the main data stream
H:\toolz&gttype testfile
I am a test file

And finally, we’ll show you that the hidden data is actually there, if you know what to look for
H:\toolz&gtmore &lttestfile:hidden
“I am hidden text”

Now we’ll get even fancier and hide a 70k executable inside an 18 byte file.
H:\toolz&gtdir c:\winnt\uptime.exe
Volume in drive C has no label.
Volume Serial Number is 185B-203E

Directory of c:\winnt

07/25/2002 11:39a 70,416 uptime.exe
1 File(s) 70,416 bytes
0 Dir(s) 3,166,212,096 bytes free

H:\toolz&gttype c:\winnt\uptime.exe &gttestfile:uptime.exe

70k executable now hidden in 18 bytes of ASCII text!
H:\toolz&gtdir
Volume in drive H is New Volume
Volume Serial Number is 1478-A72F

Directory of H:\toolz

07/25/2002 11:34a &ltDIR> .
07/25/2002 11:34a &ltDIR> ..
07/25/2002 11:41a 18 testfile
1 File(s) 18 bytes
2 Dir(s) 35,479,515,136 bytes free

Once again, if you know what to look for, you can run it:
H:\toolz&gtstart /b h:\toolz\testfile:uptime.exe

H:\toolz>\\CTHULHU has been up for: 283 day(s), 19 hour(s), 8 minute(s), 28 second(s)
^C
And finally, we’ll just verify that all of our original data is still intact
H:\toolz&gttype testfile
I am a test file

H:\toolz&gtmore &lttestfile:hidden
“I am hidden text”

And just to discourage Bullis from trying to hide his kiddy pr0n using ADS, I’ll show you that it IS possible to find alternate data streams if you have the right tools:

H:\&gtsfind
Searching…
H:\toolz
testfile:hidden Size: 21
testfile:uptime.exe Size: 70416
Finished
H:\>

Looking for something?

Use the form below to search the site:

Still not finding what you're looking for? Drop a comment on a post or contact us so we can take care of it!

Visit our friends!

A few highly recommended friends...

Archives

All entries, chronologically...