ADS
It’s pretty weird when you spend your entire life thinking you know all the basics and then find that there’s something out there you’d never heard of before but was pretty rudimentary.
I’m talking here about ADS – Alternative Data Streams – which have been available on all NTFS since the heady days of NT 3.51.
What surprised me is just how horribly simple ADS are to create and yet so mind-bogglingly difficult to detect.
There are quite a lot of recourses available on the web that talk about these ADS so I won’t regurgitate them here, however put simply anyone (and yes I mean anyone) can use an ADS to hide files from probably 99% of the computer using population.
Here’s a simple example of ADS at work:
C:\>echo “This is hidden” > obvious.txt:hidden.stream
C:\>dir obvious.txt
Volume in drive C has no label.
Volume Serial Number is 2C10-8F4A
Directory of C:\
07/30/2006 08:21 AM 0 obvious.txt
1 File(s) 0 bytes
0 Dir(s) 11,958,599,680 bytes free
C:\>type obvious.txt
C:\>more < obvious.txt:hidden.stream
“This is hidden”
C:\>del obvious.txt
In the above example the file obvious.txt contained one hidden data stream called hidden.stream (although it could have been called anything – the name is not a file name – it’s a stream name).
Apparently it wasn’t until Windows 2003 that Microsoft made any half decent calls available in the kernel to allow detection of these streams; however there are some methods available within the XP kernel (an probably before – not tried pre XP).
To their credit MS did supply a method of viewing these streams within Windows explorer – if you know where to look. For convenience sake I’ve bundled up the requisite DLL and registry entries (download from here) that allow you to add a new property tab to Explorer’s file properties tab which will at least show you the streams associated with a file as show below:
Now, granted this doesn’t help you in tracking down a list of files which contain ADS – you have to know the file name to use the above extension. This page does offer a download of a binary to do that (which I’ve not tried). I wanted something a little more and was left wanting until I fell over this rather interesting page which contains C# code to show stream information. Armed with this I’m going to put together a small utility within the next couple of weeks that will allow you to scan a computer and show all files with ADS.
Update: Mark Russinovich of System Internals fame wrote just such a tool last year. Streams can be download here http://www.sysinternals.com/Utilities/Streams.html
