Ever since Windows 2000, the NTFS file system in Windows has supported Alternate Data Streams, which allow you to store data “behind” a filename with the use of a stream name. It is only available at NTFS file system and it isn't detectable while browsing the file system.
First you create an innocent file, for instance, called "default.txt" with Notepad. You can put any text into the file.
Secondly, to create a new stream that attach to the first file created. You can:
notepad default.txt:secret1.txtAnd you can put any text into this new stream file, default.txt:secret1.txt. If you browse the folder that contains the file, you won't see it. You only see default.txt.
Next, you can also add text into the stream using command line:
echo "The quick brown fox jumps over the lazy dog." >> default.txt:secret1.txtYou also can read the text from the stream using command line:
more < default.txt:secret1.txtOf course, you can always add second stream and view them in command line:
echo "The quick brown fox jumps over the lazy dog." >> default.txt:secret2.txtNote that the file size for default.txt is not changed even you put a MB file into the stream. Then, to detect ADS, you may use a tool (cmdline) called "streams.exe" from Microsoft. The tool allows you to view if there is any stream attaching the file or not. It also allows you to strip all the streams (if any) from the file:
more < default.txt:secret2.txt
stream -d default.txt
Advanced Usage of ADS
We can make a new stream to not only file, but also folder. For example:
md folder1Now, we will begin to store an EXE file as ADS and run it.
cd folder1
echo "Hidden text in ADS" > :hidden.txt
more < :hidden.txt
type c:\windows\notepad.exe > default.txt:note.exeHowever, I notice that running it under Windows 7 seems doesn't work any more. Lastly, if you wish to retrieve back the executable file from the stream, you may:
start .\default.txt:note.exe
cat default.txt:note.exe > note.exe
See practical guide to ADS for more information.