Hey Guys, today weโll discuss an interesting and lesser-known feature of NTFS file systems called Alternate Data Streams (ADS). Weโll also see how NTFS differs from older file systems, and guide you step-by-step on hiding files using PowerShell and Command Prompt (CMD). Letโs get started!
What Are Alternate Data Streams?
Alternate Data Streams (ADS) is a feature in the NTFS file system that allows additional data to be attached to a file without affecting its primary content. This feature was initially introduced to maintain compatibility with macOS’s file system known as mashintos HFS+.
For example, if a file is named file.txt, you can add hidden data to it using ADS like this:
file.txt:hidden_dataThe hidden content is not visible when you open the file normally, making ADS an excellent method for hiding sensitive information.
Why is an Alternate Data Stream Used ?
Alternate Data Streams (ADS) are mainly used to store hidden or extra information inside a file without changing its visible size or content. Here is something very interesting you should know, while older Windows file systems such as FAT16 and FAT32 have no support for multipleย data streams, ADS is not a new technology, it has been present in all versions of Microsoftโsย NTFSย file system since Windows NT. This means it was present from he starting its just not being used by normal people for normal purpose.
Alternate Data Streams is being used by hackers for year to execute their attacks. Its also used by many software such as Office, Antivirous, IDEs etc. for storing addition information related to the main data present in the file. I thing this reason is enough but if you are still not satisfied why you should used ADS for programming or something else ๐. Here are the ways ADS is being used worldwide :
1. Hiding Data or Secret Messages
ADS is commonly used to hide sensitive information like passwords, logs, or secret messages inside files. This way, the data remains hidden and doesnโt appear when the file is opened normally.
2. Adding Extra Information to Files
Sometimes, extra details like comments, notes, or timestamps need to be added to a file without editing the original content. ADS is useful in such cases, especially in fields like forensics, where investigators may need to attach important notes or references to a file.
3. Supporting Applications
Some software uses ADS to store extra data about a file. For example, when you download a file from the internet, Windows often adds a “Zone.Identifier” stream to indicate whether the file is from a trusted or untrusted source.
4. Malware Hiding
Unfortunately, ADS is sometimes used by hackers to hide viruses, malicious scripts, or harmful files. This makes it difficult for antivirus software to detect the malware, as it doesnโt show up in the usual file size or content.
5. Securely Storing Data
Organizations or developers might use ADS to store sensitive data like encryption keys or license information securely. This keeps the data safe and hidden from unauthorized users.
Difference Between NTFS and Other File Systems
To understand why Alternate Data Streams (ADS) is unique to NTFS, itโs important to look at how NTFS differs from other file systems like FAT32 and exFAT.
1. Advanced Features
- NTFS: It supports advanced features like file compression, encryption, and Alternate Data Streams (ADS), which allow hidden data to be stored within files.
- FAT32 and exFAT: These file systems are simpler and do not support such advanced functionalities. They focus on compatibility and efficiency rather than additional features.
2. File Size and Partition Limits
- NTFS: It allows very large file sizes (up to 16 TB or more) and supports large partitions.
- FAT32: It has a file size limit of 4 GB and a maximum partition size of 8 TB, making it less suitable for modern storage needs.
- exFAT: It supports larger files and partitions than FAT32 but still lacks NTFSโs advanced capabilities.
3. Security
- NTFS: Offers better security features like file permissions and encryption, allowing users to control who can access or modify files.
- FAT32 and exFAT: These do not have built-in security, so all files are accessible to anyone with access to the drive.
4. Metadata Handling
- NTFS: Can store additional metadata, like timestamps and file attributes, and supports multiple data streams (like ADS).
- Other File Systems: FAT32 and exFAT store only basic metadata and cannot handle features like ADS.
5. Compatibility
- NTFS: Works best with modern Windows systems but has limited compatibility with non-Windows devices unless additional drivers are used.
- FAT32 and exFAT: Widely compatible with older systems, gaming consoles, and devices like cameras, making them better for cross-platform use.
Hiding Data in ADS Using PowerShell
PowerShell is a very useful tool for working with Alternate Data Streams (ADS). With a few simple commands, you can hide both text and files inside a file without changing its visible content. Letโs understand it better.
How to Hide Text in ADS Using PS ?
If you want to hide some text in a file, you can use the Set-Content command like this:
echo "This is hidden data" | Set-Content file.txt -Stream secretHereโs what this means:
file.txt: This is the main file where you are hiding the data.-Stream secret: This creates a hidden part inside the file calledsecret."This is hidden data": This is the text that gets hidden in thesecretstream.
The content of file.txt remains the same when you open it normally, but this hidden data will not be visible directly.
How to Hide a File in ADS Using PS ?
You can also hide the content of one file inside another using ADS. For example:
Get-Content source.txt | Set-Content file.txt -Stream hidden_fileHere:
source.txt: This is the file whose content you want to hide.file.txt:hidden_file: This creates a hidden part (hidden_file) insidefile.txtand stores the content ofsource.txtthere.
Once the data is hidden, you can even delete the original file (source.txt) if you donโt need it anymore. The hidden data will still be inside file.txt.
How to Read Hidden Data from ADS Using PS?
If you want to see the hidden data, use the Get-Content command like this:
Get-Content -Path "file.txt:secret"This will show the hidden text stored in the secret stream of file.txt. If you have hidden a file instead of text, just replace secret with the name of the stream (for example, hidden_file).
How to Check for Streams in a File Using PS?
To find out if a file has any hidden streams, you can use the Get-Item command:
Get-Item -Path "file.txt" -Stream *This will list all the streams inside file.txt, including their names and sizes. This way, you can verify that your hidden data is safe and where it should be.
Hiding Data in ADS Using CMD
We already used Powershell for hiding data in ADS but that’s not enough. I want you to know how to do the same thing in cmd because there is no harm in getting some more knowledge right ? ๐
How to Hide Text in ADS Using CMD ?
To hide some text inside a file, use the echo command like this:
echo This is hidden data > file.txt:hidden_dataHereโs what happens:
file.txt: This is the main file where the hidden data will be stored.hidden_data: This creates a hidden part insidefile.txtto store the text.This is hidden data: This is the text that gets saved in thehidden_datastream.
When you open file.txt, you wonโt see the hidden text because itโs stored in the hidden_data stream.
How to Hide a File in ADS Using CMD?
To hide the content of one file inside another, use the type command:
type source.txt > file.txt:hidden_fileHereโs what it does:
source.txt: This is the file whose content you want to hide.file.txt:hidden_file: This creates a hidden stream namedhidden_fileinsidefile.txtand stores the content ofsource.txtthere.
After hiding the content, you can delete source.txt if you donโt need it anymore. The hidden data will remain safe inside file.txt.
How to Read Hidden Data from ADS Using CMD?
To access the hidden data, use the more or type command. For example, to read the text hidden in the hidden_data stream, use:
more < file.txt:hidden_dataIf you have hidden a file instead of text, replace hidden_data with the name of the hidden stream (e.g., hidden_file). This will display the hidden content in the console.
How to Check for Streams in a File Using CMD ?
To view all the data streams of a file using CMD we can use the this command:
dir /rThis is going to show the details of all the files in the directory but it’s no problem because you will be able to see the ADS of the file you want ๐.
How to Delete or Remove Alternate Data Streams (ADS)
Alternate Data Streams (ADS) can store hidden data in files, but sometimes, you may want to delete these streams to free up space or remove potentially harmful hidden content. Here’s how you can delete ADS using simple commands and tools.
Deleting Alternate Data Streams Using CMD
Unfortunately, the native CMD in Windows does not have a built-in command to directly delete specific Alternate Data Streams (ADS). The easiest way to remove ADS from a file using CMD is to copy the fileโs content to a new file. This process removes any attached data streams.
Hereโs an example:
type file.txt > newfile.txtIf the above command is not working for you try this :
more < file.txt > newfile.txtAfter this, you can safely delete the original file:
del file.txtYou can also use the Streams Tool provided by Microsoft to delete Alternate Data Streams if you don’t want to delete your original file. The Streams tool comes under the Sysinternals tool set provided by Microsoft to work with Alternate Data Streams. It is only 500KB.๐
Deleting Alternate Data Streams Using PowerShell
PowerShell allows you to explicitly manage and remove streams attached to files. Use the Remove-Item command to delete specific streams:
Remove-Item -Path "file.txt" -Stream "hidden_stream"This command will delete the hidden_stream attached to file.txt while keeping the main file intact.
Using Sysinternals Streams Tool to Delete ADS
Microsoft provides a command-line tool called Streams.exe to manage ADS in NTFS. You can use this tool to list and delete all streams in a file.
Download Streams Tool: Download Streams from Microsoft.
List Streams
Run the following command to see the streams attached to a file:
streams file.txtDelete Streams
To remove all ADS attached to a file, run:
streams -d file.txtThis deletes all hidden streams in file.txt without affecting the main content.
Understanding the Commands
Understanding the command we are using is crucial because that differentiates you from a script kiddy. Therefore, we will see what each command does, I will just give you an overview of the command and not show you practically why? because you will do it yourself ๐
| Command | Purpose | PowerShell or CMD |
|---|---|---|
echo | Print your text in standard output ( console ) | CMD |
set-content | Writes new content or replaces the content in a file. | PowerShell |
get-content | Get content of a file | PowerShell |
get-item | Get info about file, directory, reg key etc. | PowerShell |
type / more | Read data from a file | CMD |
Frequently Asked Questions (FAQs)
Can ADS be used on FAT32 or exFAT file systems?
No, ADS is only supported on the NTFS file system. FAT32 and exFAT do not have the ability to handle multiple data streams, which is essential for ADS to work.
What is the difference between NTFS and other file systems like FAT32?
NTFS supports advanced features like ADS, file encryption, and permissions, making it suitable for modern storage needs. In contrast, FAT32 and exFAT are simpler file systems designed for compatibility, but they lack these advanced features.
Can ADS be a security risk?
Yes, ADS can be exploited by malware to hide malicious scripts or data, making it harder for antivirus programs to detect threats. This is why understanding ADS is important for cybersecurity professionals.
