NTFS Streams can hide massive amounts of data or even a virus, find out how they work and how to find a Windows Stream!
Windows Alternate Data Stream
If you have Windows NT 3.1, 3.5, 3.51, 4.0, Windows 2000 and Windows XP and use NTFS, then your system supports Alternate Data Streams.
What is an Alternate Data Stream? Simply put, it’s the ability to hide data behind a file, such as text, graphics or executable code (games, trojans, etc).
For example: You could have a small text file (hello.txt of say 1k in size) – however, attached to it is an executable program that is 5 megs in size. When you do a directory listing (look for files on your pc), the system will show you a small 1k text file without revealing the 5 meg file.
Malicious users take advantage of NTFS Data Streams by storing a virus or trojan on your system. Employees can abuse this by hiding graphics or data behind text files, etc.
Key issues about NTFS Data Streams
- NTSF Streams only visible to specialized software.
- Public awareness of NTFS streams very low.
- Streams can attach themselves to directories as well as files.
- Disk space used by Streams are not reported by programs such as Windows Explorer or commands such as ‘DIR’
- Streams can be executed.
- Executed streams do not have their filenames displayed correctly in Windows Task Manager.
How to Create an Alternate Data Stream – Text Example
The syntax used to create the NTFS Stream is relatively simple and straightforward. To create an ADS associated with the file "hello.txt", simply separate the default stream name from the ADS name with a colon. [This example is from the command prompt of your C drive].
c:\>echo This is a test > hello.txt:hidden
The ADS can then be verified using Notepad.
c:\> notepad hello.txt:hidden
Using the DIR command or programs such as Windows Explorer will not detect the
presence of this newly created Alternate Data Stream.
How to Create an Alternate Data Stream – Executable Example.
c:\> type c:\winnt\notepad.exe > hello.txt:np.exe
c:\> type c:\winnt\system32\sol.exe > hello.txt:sol2.exe
Similarly, image files, audio files, or any other stream of data can be hidden in ADSs.
Here is a free program to detect streams.