Hey Guys, today we’ll discuss an interesting and lesser-known feature of NTFS file systems called Alternate Data Streams (ADS). We’ll also see how NTFS differs from older file systems, and guide you step-by-step on hiding files using PowerShell and Command Prompt (CMD). Let’s get started!
What Are Alternate Data Streams?
Alternate Data Streams (ADS) is a feature in the NTFS file system that allows additional data to be attached to a file without affecting its primary content. This feature was initially introduced to maintain compatibility with macOS’s file system known as mashintos HFS+.
For example, if a file is named file.txt
, you can add hidden data to it using ADS like this:
file.txt:hidden_data
The hidden content is not visible when you open the file normally, making ADS an excellent method for hiding sensitive information.
Why is an Alternate Data Stream Used ?
Alternate Data Streams (ADS) are mainly used to store hidden or extra information inside a file without changing its visible size or content. Here is something very interesting you should know, while older Windows file systems such as FAT16 and FAT32 have no support for multiple data streams, ADS is not a new technology, it has been present in all versions of Microsoft’s NTFS file system since Windows NT. This means it was present from he starting its just not being used by normal people for normal purpose.
Alternate Data Streams is being used by hackers for year to execute their attacks. Its also used by many software such as Office, Antivirous, IDEs etc. for storing addition information related to the main data present in the file. I thing this reason is enough but if you are still not satisfied why you should used ADS for programming or something else 😈. Here are the ways ADS is being used worldwide :
1. Hiding Data or Secret Messages
ADS is commonly used to hide sensitive information like passwords, logs, or secret messages inside files. This way, the data remains hidden and doesn’t appear when the file is opened normally.
2. Adding Extra Information to Files
Sometimes, extra details like comments, notes, or timestamps need to be added to a file without editing the original content. ADS is useful in such cases, especially in fields like forensics, where investigators may need to attach important notes or references to a file.
3. Supporting Applications
Some software uses ADS to store extra data about a file. For example, when you download a file from the internet, Windows often adds a “Zone.Identifier” stream to indicate whether the file is from a trusted or untrusted source.
4. Malware Hiding
Unfortunately, ADS is sometimes used by hackers to hide viruses, malicious scripts, or harmful files. This makes it difficult for antivirus software to detect the malware, as it doesn’t show up in the usual file size or content.
5. Securely Storing Data
Organizations or developers might use ADS to store sensitive data like encryption keys or license information securely. This keeps the data safe and hidden from unauthorized users.
Difference Between NTFS and Other File Systems
To understand why Alternate Data Streams (ADS) is unique to NTFS, it’s important to look at how NTFS differs from other file systems like FAT32 and exFAT.
1. Advanced Features
- NTFS: It supports advanced features like file compression, encryption, and Alternate Data Streams (ADS), which allow hidden data to be stored within files.
- FAT32 and exFAT: These file systems are simpler and do not support such advanced functionalities. They focus on compatibility and efficiency rather than additional features.
2. File Size and Partition Limits
- NTFS: It allows very large file sizes (up to 16 TB or more) and supports large partitions.
- FAT32: It has a file size limit of 4 GB and a maximum partition size of 8 TB, making it less suitable for modern storage needs.
- exFAT: It supports larger files and partitions than FAT32 but still lacks NTFS’s advanced capabilities.
3. Security
- NTFS: Offers better security features like file permissions and encryption, allowing users to control who can access or modify files.
- FAT32 and exFAT: These do not have built-in security, so all files are accessible to anyone with access to the drive.
4. Metadata Handling
- NTFS: Can store additional metadata, like timestamps and file attributes, and supports multiple data streams (like ADS).
- Other File Systems: FAT32 and exFAT store only basic metadata and cannot handle features like ADS.
5. Compatibility
- NTFS: Works best with modern Windows systems but has limited compatibility with non-Windows devices unless additional drivers are used.
- FAT32 and exFAT: Widely compatible with older systems, gaming consoles, and devices like cameras, making them better for cross-platform use.
Hiding Data in ADS Using PowerShell
PowerShell is a very useful tool for working with Alternate Data Streams (ADS). With a few simple commands, you can hide both text and files inside a file without changing its visible content. Let’s understand it better.
How to Hide Text in ADS Using PS ?
If you want to hide some text in a file, you can use the Set-Content
command like this:
echo "This is hidden data" | Set-Content file.txt -Stream secret
Here’s what this means:
file.txt
: This is the main file where you are hiding the data.-Stream secret
: This creates a hidden part inside the file calledsecret
."This is hidden data"
: This is the text that gets hidden in thesecret
stream.
The content of file.txt
remains the same when you open it normally, but this hidden data will not be visible directly.
How to Hide a File in ADS Using PS ?
You can also hide the content of one file inside another using ADS. For example:
Get-Content source.txt | Set-Content file.txt -Stream hidden_file
Here:
source.txt
: This is the file whose content you want to hide.file.txt:hidden_file
: This creates a hidden part (hidden_file
) insidefile.txt
and stores the content ofsource.txt
there.
Once the data is hidden, you can even delete the original file (source.txt
) if you don’t need it anymore. The hidden data will still be inside file.txt
.
How to Read Hidden Data from ADS Using PS?
If you want to see the hidden data, use the Get-Content
command like this:
Get-Content -Path "file.txt:secret"
This will show the hidden text stored in the secret
stream of file.txt
. If you have hidden a file instead of text, just replace secret
with the name of the stream (for example, hidden_file
).
How to Check for Streams in a File Using PS?
To find out if a file has any hidden streams, you can use the Get-Item
command:
Get-Item -Path "file.txt" -Stream *
This will list all the streams inside file.txt
, including their names and sizes. This way, you can verify that your hidden data is safe and where it should be.
Hiding Data in ADS Using CMD
We already used Powershell for hiding data in ADS but that’s not enough. I want you to know how to do the same thing in cmd because there is no harm in getting some more knowledge right ? 😆
How to Hide Text in ADS Using CMD ?
To hide some text inside a file, use the echo
command like this:
echo This is hidden data > file.txt:hidden_data
Here’s what happens:
file.txt
: This is the main file where the hidden data will be stored.hidden_data
: This creates a hidden part insidefile.txt
to store the text.This is hidden data
: This is the text that gets saved in thehidden_data
stream.
When you open file.txt
, you won’t see the hidden text because it’s stored in the hidden_data
stream.
How to Hide a File in ADS Using CMD?
To hide the content of one file inside another, use the type
command:
type source.txt > file.txt:hidden_file
Here’s what it does:
source.txt
: This is the file whose content you want to hide.file.txt:hidden_file
: This creates a hidden stream namedhidden_file
insidefile.txt
and stores the content ofsource.txt
there.
After hiding the content, you can delete source.txt
if you don’t need it anymore. The hidden data will remain safe inside file.txt
.
How to Read Hidden Data from ADS Using CMD?
To access the hidden data, use the more
or type
command. For example, to read the text hidden in the hidden_data
stream, use:
more < file.txt:hidden_data
If you have hidden a file instead of text, replace hidden_data
with the name of the hidden stream (e.g., hidden_file
). This will display the hidden content in the console.
How to Check for Streams in a File Using CMD ?
To view all the data streams of a file using CMD we can use the this command:
dir /r
This is going to show the details of all the files in the directory but it’s no problem because you will be able to see the ADS of the file you want 😊.
How to Delete or Remove Alternate Data Streams (ADS)
Alternate Data Streams (ADS) can store hidden data in files, but sometimes, you may want to delete these streams to free up space or remove potentially harmful hidden content. Here’s how you can delete ADS using simple commands and tools.
Deleting Alternate Data Streams Using CMD
Unfortunately, the native CMD in Windows does not have a built-in command to directly delete specific Alternate Data Streams (ADS). The easiest way to remove ADS from a file using CMD is to copy the file’s content to a new file. This process removes any attached data streams.
Here’s an example:
type file.txt > newfile.txt
If the above command is not working for you try this :
more < file.txt > newfile.txt
After this, you can safely delete the original file:
del file.txt
You can also use the Streams Tool provided by Microsoft to delete Alternate Data Streams if you don’t want to delete your original file. The Streams tool comes under the Sysinternals tool set provided by Microsoft to work with Alternate Data Streams. It is only 500KB.😄
Deleting Alternate Data Streams Using PowerShell
PowerShell allows you to explicitly manage and remove streams attached to files. Use the Remove-Item
command to delete specific streams:
Remove-Item -Path "file.txt" -Stream "hidden_stream"
This command will delete the hidden_stream
attached to file.txt
while keeping the main file intact.
Using Sysinternals Streams Tool to Delete ADS
Microsoft provides a command-line tool called Streams.exe to manage ADS in NTFS. You can use this tool to list and delete all streams in a file.
Download Streams Tool: Download Streams from Microsoft.
List Streams
Run the following command to see the streams attached to a file:
streams file.txt
Delete Streams
To remove all ADS attached to a file, run:
streams -d file.txt
This deletes all hidden streams in file.txt
without affecting the main content.
Understanding the Commands
Understanding the command we are using is crucial because that differentiates you from a script kiddy. Therefore, we will see what each command does, I will just give you an overview of the command and not show you practically why? because you will do it yourself 😊
Command | Purpose | PowerShell or CMD |
---|---|---|
echo | Print your text in standard output ( console ) | CMD |
set-content | Writes new content or replaces the content in a file. | PowerShell |
get-content | Get content of a file | PowerShell |
get-item | Get info about file, directory, reg key etc. | PowerShell |
type / more | Read data from a file | CMD |
Frequently Asked Questions (FAQs)
Can ADS be used on FAT32 or exFAT file systems?
No, ADS is only supported on the NTFS file system. FAT32 and exFAT do not have the ability to handle multiple data streams, which is essential for ADS to work.
What is the difference between NTFS and other file systems like FAT32?
NTFS supports advanced features like ADS, file encryption, and permissions, making it suitable for modern storage needs. In contrast, FAT32 and exFAT are simpler file systems designed for compatibility, but they lack these advanced features.
Can ADS be a security risk?
Yes, ADS can be exploited by malware to hide malicious scripts or data, making it harder for antivirus programs to detect threats. This is why understanding ADS is important for cybersecurity professionals.