NTFS Alternate Data Streams – hide files inside other files

The NTFS file system has support for additional data, called Alternate Data Streams (ADS), to be attached to any file. Normally this is used by the operating system and file explorer to bind extra data to a file, such as the file’s access control information, searchable file meta-data like keywords, comments and revision history, and even information that can mark a file as having been downloaded from the internet. Because this extra information is bound to the file at the filesystem level, you can move the file from one folder to another and all of the various meta-information and permission data stays with the file.

The interesting thing is that a file can have 0 to many ADS forks attached to any file or directory. While some of the ADS identifiers are use by the OS, there’s nothing stopping you from adding other ADS forks to a file. You can do this directly from the command line, using a simple colon “:” notation.

Let’s say you have a file called test.txt. You can store a secret message in the file like this:
echo "This is a secret" > test.txt:secretdata

If you view the contents of the file, you won’t see anything peculiar. If you know about the existence of the secretdata ADS entry, however, you can easily extract the hidden information with the following command:
more < test.txt:secretdata > output.txt

When you now open output.txt, you’ll find your secret data inside.

Because it’s a lower level OS feature, you can even trick most programs into loading the data. In the scenario above, you could actually load and edit the secretdata stream inside of notepad by running “notepad test.txt:secretdata“.You can even store and execute binary data of any particular size in an ADS fork. For instance, maybe you want to shove solitaire inside one of your text file’s ADS entries:

type c:winntsystem32sol.exe > test.txt:timewaster.exe

Running the file is as simple as “start . est.txt:timewaster.exe“. Wild, no?

So the odd thing is that all these hidden streams are floating about your filesystem and until Vista’s /R flag on the DIR command, there hasn’t really been a very good built-in way of detecting them. To solve this, Frank Heyne created an application called LADS which is an excellent command line utility that will scan a directory and print out stream names and sizes for files within it.

There’s was also a tool released in an MSDN article about file streams that will at an extra tab to the file properties in Windows Explorer. I’ve linked to a FAQ that Frank maintains about ADS that walks you through setting up the dll and registry entries to make this work. When it’s activated, the Streams tab in the properties panel will let you create, view, edit or delete the stream data that’s attached to any file, right in Explorer.

I can see how this file system feature could be useful, but it’s a little odd that it’s so hidden from the user and there seem to be a few problems with the concept. Obviously, because of ADS’s hidden nature, there are a number of malicious uses that can be employed by jerk-o’s who write virii and that sort of thing. Even ignoring that, there are also data interchange issues—moving a file between NTFS and another file system causes the loss of all this attached information. Call me old fashioned, but I like my files the way they used to be, with a start, an end, and some bytes in between.

Frank Heyne – Alternate Data Streams in NTFS FAQ
LADS – NTFS alternate data stream list utility
The Dark Side of NTFS
MSDN: A Programmer’s Perspective on NTFS Streams and Hard Links

The NTFS file system has support for additional data, called Alternate Data Streams (ADS), to be attached to any file. Normally this is used by the operating system and file explorer to bind extra data to a file, such as the file’s access control information, searchable file meta-data like keywords, comments and revision history, and even information that can mark a file as having been downloaded from the internet. Because this extra information is bound to the file at the filesystem level, you can move the file from one folder to another and all of the various meta-information and permission data stays with the file.

The interesting thing is that a file can have 0 to many ADS forks attached to any file or directory. While some of the ADS identifiers are use by the OS, there’s nothing stopping you from adding other ADS forks to a file. You can do this directly from the command line, using a simple colon “:” notation.

Let’s say you have a file called test.txt. You can store a secret message in the file like this:
echo "This is a secret" > test.txt:secretdata

If you view the contents of the file, you won’t see anything peculiar. If you know about the existence of the secretdata ADS entry, however, you can easily extract the hidden information with the following command:
more < test.txt:secretdata > output.txt

When you now open output.txt, you’ll find your secret data inside.

Because it’s a lower level OS feature, you can even trick most programs into loading the data. In the scenario above, you could actually load and edit the secretdata stream inside of notepad by running “notepad test.txt:secretdata“.You can even store and execute binary data of any particular size in an ADS fork. For instance, maybe you want to shove solitaire inside one of your text file’s ADS entries:

type c:winntsystem32sol.exe > test.txt:timewaster.exe

Running the file is as simple as “start . est.txt:timewaster.exe“. Wild, no?

So the odd thing is that all these hidden streams are floating about your filesystem and until Vista’s /R flag on the DIR command, there hasn’t really been a very good built-in way of detecting them. To solve this, Frank Heyne created an application called LADS which is an excellent command line utility that will scan a directory and print out stream names and sizes for files within it.

There’s was also a tool released in an MSDN article about file streams that will at an extra tab to the file properties in Windows Explorer. I’ve linked to a FAQ that Frank maintains about ADS that walks you through setting up the dll and registry entries to make this work. When it’s activated, the Streams tab in the properties panel will let you create, view, edit or delete the stream data that’s attached to any file, right in Explorer.

I can see how this file system feature could be useful, but it’s a little odd that it’s so hidden from the user and there seem to be a few problems with the concept. Obviously, because of ADS’s hidden nature, there are a number of malicious uses that can be employed by jerk-o’s who write virii and that sort of thing. Even ignoring that, there are also data interchange issues—moving a file between NTFS and another file system causes the loss of all this attached information. Call me old fashioned, but I like my files the way they used to be, with a start, an end, and some bytes in between.

Frank Heyne – Alternate Data Streams in NTFS FAQ
LADS – NTFS alternate data stream list utility
The Dark Side of NTFS
MSDN: A Programmer’s Perspective on NTFS Streams and Hard Links