NTFS Alternative Data Streams(ADS)

hello friends, today let us discuss about NTFS Alternative Data Streams(ADS).

NTFS ADS are basically used to add extra information to a file. This extra data is know as metadata of that file.

This extra data is usually hidden and window OS doesnt have any tool to view its presence.

except win 2000 has a tool cat in resourse kit.

NTFS ADS can be used to hide data on ur pc without using any software. The NTFS ADS has many advantages as below:

1. There is no limit on the size of streams and there can be more than one stream linked to a normal file.

2. ADS are not visible in explorer or via command prompt. In fact, their size is also not reported by Windows.

3. You can hide text data, images, videos and even Executables...!!

4. The streams can be attached to drives and folders too.

So now how to create a stream and hide data:

lets take an example here i shall create a stream to hide text data,

first goto CMD and type

notepad test.txt

hit enter, a notepad will open and it will ask u to save , save it and close. DONT TYPE ANYTHING IN IT.

now save and close it.now again open cmd and type following:

notepad test.txt:crypto.txt

hit enter it will again ask to save do it now type the text in notepad titled as text.txt:crypto.txt that u want to hide.

for example type anything like "Be a r3b3l not a p3bbl3"

now save and close.

now in above example the crypto.txt is the stream that we created and the data that we are hiding is "Be a r3b3l not a p3bbl3" that is the data that we typed in test.txt:crypto.txt notepad.

Now if u go and check the size of test.txt file it will be 0 kb. no matter how much data u are hiding it will be 0 kb.

Even if u use dir command to find hidden crypto.txt file u cant find it.

The only way to find ur file is that u must remember the name of file and the stream name.

For eg as in our example in order to view crypto.txt i will type following command in cmd:

notepad test.txt:crytpo.txt

Thus similarily u can hide images, videos and executables too.

eg:

first we create a stream simlarily like above:

in cmd type

notepad test.txt:crypto.txt

now we shall hide an image crypto.jpg that is in E:\image folder for example. here is syntax of command:

in cmd type the following code:

type E:\image\crypto.jpg> test.txt:crypto.txt

hit enter. mission completed again check size of the notepad test.txt it will be 0 kb.

Similarily u can hide ur virus or trojan or any executable like following.

for eg. consider i want to associate crypto.exe in E: drive to test.txt then in cmd i'll type:

type E:\project\crypto.exe> test.txt:crypto.txt

U can also associate an executable with an executable like i shall associate crypto.exe with calc.exe as below:

type E:\project\crypto.exe> C:\WINDOWS\system32\calc.exe:notepad.exe

where i have used notepad.exe u can use any name that can fool a user when he/she opens the task manager.

because now our crypto.exe will be running in task manager with name calc.exe:notepad.exe instead of crypto.exe

u can execute the executable by using start command at cmd. look for syntax by using help.

As we modified the system application calc.exe(calculator) it may not be get detected even if we use sfc.exe utility.

The only way to detect the modification is by going to properties of the file and viewing its date of creation and date of modification. ;-)

There are some drawbacks of NTFS ADS that u must know.

1. this ADS work only in NTFS not in FAT/FAT32.

2. If u copy the notepad that we created (i.e. test.txt) to FAT file system, the streams associated with it will be destroyed. Which means all ur hidden treasure is gone.

this technique can be used to counteract NTFS ADS. ;-)

if u fear u system contains ADS just copy the data to FAT file system. This will destroy the streams but now view them.

Try checking ur pc for the streams. there is no way to view the streams instead using softwares that are available on internet.