Home > Security > Hiding Files in Alternate Data Streams

Hiding Files in Alternate Data Streams

Alternate Data Streams got their start while trying to provide NTFS compatibility with the Macintosh Hierarchial File System (MHF).   The Macintosh file system stores information in the following two forks: Resource and Data.  The data fork contains well…the data and the resource contains info for the OS on how to interpret the data, which is usually held in some type of metadata.   Microsoft’s attempt of resource fork implementation led to Alternate Data Streams.   Besides having the ability to store metadata, it’s possible to also hide additional file types such as:

  • Executables (.exe, .bat)
  • Movies (.avi, .mov)
  • Documents (.txt, .doc, .xls)

Once these files are placed into another file or folder’s ADS they are essentially hidden… in plain sight.  That is to say that they are not visible in Window Explorer nor do they increase the size of the document used to hide them.   The visible document will open as normal or the movie will play without a glitch  and no one will be the wiser.  That is not to say that ADS’s are undetectable as their are several applications that can be used to reveal these hidden streams and all modern AntiVirus apps are configured to detect well known malicious software hidden inside an ADS.  Vista also has the native ability to detect them using the command line DIR /R switch.  So although they have their use they are by no means the best way to prevent prying eyes from viewing your personal data.  Think of ADS to be used only when the need arises to hide a nonmalicious file and then only as a temporary solution.  It’s always best to encrypt files using Microsoft’s default Encrypted File System or some commercial tool like TrueCrypt.  This will almost certainly guarantee immediate privacy however even that can be comprimised in the long term.  

There’s no doubt that this method of hidding information could be of use to the individual looking to find a place to hide a picture or movie short term especially a machine where the owner is clueless about ADS’s.  They do however have some limitations:

  • Supported on NTFS only
  • Stream is lost during browser and FTP downloads
  • Easily detectable with current software

Although they are a superficial way to hide files most tech’s are unaware of their existence and if so might be hard pressed to provide a working example.  I however am willing and able to provide such a demonstration and will magically hide a file, movie, executable within a file and folder…in separate illusions…Hold onto your seats boys and girls and the the ADS begin.

Below is a the directory I’ll be working in:

I have included the following files to test in this ADS magic trick:

  • Notepad.exe (standard text document creator..who doesn’t know notepad_)
  • nc.exe (included because most AV’s detect it as malicious as I suppose they should being the switch army blade of the hacker community)
  • Clock.avi (standard default video file included with Vista and other previous versions I suppose)
  • Wmplayer.exe (Microsofts Media Player. Moved it for the sake of convience)
  • Cat.exe (ported over from Unix.  Will allow the removal of ADS streams)
  • Tools folder (contains some well known anti ADS tools)

So lets begin…

First create  a normal file using the following command:

echo “This is visible text” > visible.txt

Echo is used to display text on the screen but also can be piped (>) into a file.

Now to create our file to be hidden

echo “This is hidden text” > hidden.txt

Let’s make sure they have been created by doing a dir /O to sort then aphabetically.

So our files have been created.  Anyone of the following techniques could be used to verify their echo’d contents:

  • type visible.txt (displays contents of file on screen)
  • more < visible.txt (pipes the contents of text into the more command)
  • notepad.exe visible.txt

So for the sake of argument let’s jusy say I’ve done the verification.  Now let’s move onto streaming Hidden.txt into Visible.txt by doing the following:

Presto…Chango…Alakazam…

type hidden.txt > visible.txt:hidden.txt

Ok so I overexagerated on the magic trick lingo but in my head it sounded pretty funny.  So now that it’s done how do we see the actual text within the streamed file.  The type command doesn’t work to view ADS stream contents as can be seen below.  I uses both the file name alone and then it’s full path to no avail.  Both the more and notepad command work however.

more visible.txt:hidden.txt

The same technique could be used to place hidden.txt into the H:\Hidden directory.

type hidden.txt > h:\hidden:hidden.txt

 

Now the same can be done to hide an executable or movie

type clock.avi > visible.txt:clock.avi

type notepad.exe > visible.txt:notepad.exe

So now let’s verify the existence of these ADS’s using the Vista’s native DIR /R command.

In my next post I will show how to extract ADS’s as well as some of the tools used to detect them

Reference:

http://www.irongeek.com/i.php?page=mobile-device-hacking

http://www.forensicfocus.com/dissecting-ntfs-hidden-streams

http://windowssecrets.com/2007/12/06/01-Hide-sensitive-files-with-Alternate-Data-Streams

http://infolookup.securegossip.com/2010/04/01/who-do-you-trust-to-find-your-ads/

http://www.windowsecurity.com/articles/Alternate_Data_Streams.html

Advertisements
Categories: Security
  1. mamat
    August 20, 2010 at 4:23 am

    I have 2 questions

    type clock.avi > visible.txt:clock.avi

    1. After you do command above, clock.avi is still there. I thought it will be gone?
    2. How to view clock.avi after you hide it

    • joeroc
      December 8, 2010 at 3:28 pm

      Nope…The commad is used to place a copy of the file into an ADS. The original will still exist until you delete it. Once deleted you can then get the original from the ADS when needed..

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: