The Windows NTFS allows to save additional data streams (ADS) since Windows NT 3.51. You can hide additional files “behind” a file,.
Without additional tools you cannot see them, not even the file size changes if you add additional streams to a file. Here a simple example, we hide the file myads.txt (the alternate data stream) behind the file myfile.txt (regular file):
> echo MEEP >> myfile.txt:myads.txt
In the Windows Explorer (or a dir, whatever..) you see a file with a filesize of 0. Our hidden stream “myads.txt” is not shown. To read the hidden stream you can use notepad:
> notepad myfile.txt:myads.txt
You can edit this stream as it would be a “regular” file. Or you can use this cmd-line command:
> more < myfile.txt:myads.txt
Of course you can also add executables “behind” a file:
> type c:winntnotepad.exe > myfile.txt:np.exe
NOTE: not all ms tools are “ads compatible”, for example a “copy c:winntnotepad.exe myfile.txt:np.exe” does not work.
Now start np.exe:
> start c:myfile.txt:np.exe
NOTE: you need to provide the full path!
You can also create a alternate data stream in a directory:
> cd c:winnt
> echo "meee - my ads" > :neophob
I tried to zip the files with a hidden stream (7-zip v4.42, Winzip 9.0-SR1 and Windows XP integrated zipper) without success. It looks like most utilities ignore additional file streams.
Each file contains meta-data (file permissions, summary information, encrypted/compressed file or not and so on) which is saved as system stream. An example of a “regular” ADS is the thumbnail function in Windows 2000, when you switch to “thumbnail view”, explorer will create some ADS (LADS output):
Scanning directory p:tmppics
size ADS in file
As I didn’t found the GUID 4c8cc155-6c1e-11d1-8e41-00c04fb9386d in the registry I assume this GUID is used to identify that this file has a thumbnail assigned (as a ADS). I extracted those streams (the XQ30ls.. stream) and compared them. I didn’t really analyze those files, but I think the x/y of the image is saved as well as the thumbnail itself (RLE compressed?).
It looks like Windows XP doesn’t save the thumbnails in ADS anymore but in the file Thumbs.db.
The summary information is still saved as ADS:
Scanning directory C:
size ADS in file
Here you see the “marker” GUID 4c8cc155-6c1e-11d1-8e41-00c04fb9386d again.
Another new “feature” of Windows XP is the Zone.Identifier. When you save a file from the Internet (or mail attachment) Windows save the Internet Explorer security zone as a ADS in this File. If want to run this file and ZoneId is 3 (Internet Zone) Windows show this message:
The publisher could not be verified. Are you sure you want to run this software?
The content of the ADS:
Windows XP does also identify the ads proper in the task manager when you compare it to Windows 2k. For example when we execute myfile.txt:np.exe, w2k shows myfile.txt in the taskmanager where wxp shows myfile.txt:np.exe.
NTFS Streams Info v. 2.1, nice GUI, evaluation version at http://www.isgeo.kiev.ua/shareware/products.html
Another tool called “Stream Viewer” add’s a new tab in the file properties dialog, found here: http://www.jsware.net/jsware/sviewer.php3
LADS, a cmd-line ads finder: http://www.heysoft.de/nt/ep-lads.htm
Microsoft MSDN Article about NTFS. You can download some samples (NTFSext.exe) and exclude the file StrmExt.dll. Copy this file to your windowssystem32 directory, register it (regsvr32 StrmExt.dll) and your properties tab contains an additional streams tab.