Windows - Hiding data in Windows NTFS using Alternative Data Streams
Create the file “hello.txt”:
copy con hello.txt Hello World ^Z
Let's see what we got:
dir hello.txt 09/07/2005 01:53 PM 13 hello.txt 1 File 13 bytes 0 Dir(s) 1,642,000,384 bytes free
Ok, the file is 13 bytes in size. Let's hide notepad.exe inside it:
type \windows\system32\notepad.exe > hello.txt:notepad.exe
and see what changed:
dir hello.txt 09/07/2005 01:56 PM 13 hello.txt 1 File(s) 13 bytes 0 Dir(s) 1,641,926,656 bytes free
Notice that the file size has not been updated but the available space on the drive has. The last modification time has however been updated.
To run notepad.exe from inside hello.txt you execute:
start .\hello.txt:notepad.exe
WARNING: The problem with ADS is that Windows can't detect it, so you would need 3rd party software to find files with ADS in it.
There is also no standard Windows tool to remove ADS from a file, which means that you either need to copy it to a FAT partition and back again, overwriting the original copy, or delete and restore it from backup.
Another interesting thing about ADS is that it also works on directories, and not only files.
If you attach an ADS to the \WINDOWS (or \WINNT) directory the only easy way to get rid of it safely is to re-install the OS!