Hello everyone. Good morning/afternoon/evening/whatever
First of all, thank you all for your feedback on my articles.
This is my 2nd article in the OS/Windows section. I hope this article will be enjoyable and useful for all.
Some years back, I badly required a satisfactory method to store my passwords. I used to create a password protected document with my login details, but many times I used to forget the password to the protected file. So, later I switched to hiding my passwords "behind" my photo (a jpg file) using steganography. But the passwords could be read with hex editor Finally when I heard about ADS, I found it the most satisfactory.
In this article, I will be talking about "hiding" data without using steganography. The whole concept behind this is the use of Alternate Data Streams (ADS).
For those who don't know what steganography is, here is what Wikipedia mentions :
Steganography is the art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message, a form of security through obscurity. The word steganography is of Greek origin and means "concealed writing".
Today most Windows users rely on NTFS. ADS is a relatively unknown feature of NTFS. ADS is the ability to fork data (streams) into existing files. ADS capabilities are found in all versions of NTFS. ADS was originally created to allow for compatibility with the HFS : Macintosh Hierarchical File System, in which file information is sometimes forked into separate resources. Alternate Data Streams have come to be used legitimately by a variety of programs, including native Windows operating system to store file information such as attributes and temporary storage.
ADS has many advantages (even over conventional steganographic methods) :
- ADS does not increase the size of the target file, no matter how much data you hide. (believe me !)
- ADS cannot be detected with MOST file browsers like Windows Explorer or the DOS command DIR.
- ADS does not affect the functionality of the target file inside which data is hidden.
- You can work with the hidden data directly without extracting it again and again.
- You do not need any special software to read/write hide data using ADS. Plain old MS-DOS ("cmd.exe") is all that you need !
- ADS does not involve any sophisticated hacking skills or anything like that.
- Moving/Copying the file into which data is hidden, also moves/copies the hidden data.
- Using ADS, you can hide any kind of data : binary/text streams.
Dis-advantages of ADS :
- ADS changes the time stamp of the target file into which data is hidden.
- ADS is not supported on all systems. So, copying a file with ADS to such a system will remove all the hidden streams.
(1) Hiding data using ADS
So, ready to test the newly learnt skill ? OK. Gear up "cmd.exe".
You heard it right, "cmd.exe" : the DOS command prompt.
[[ In all the codes below, BLUE TEXT represents computer generated ones and GREEN TEXT represents the ones, you are expected to type ]]
To begin, create a text file named test.txt and check it's contents :
C:\>ECHO This is the test target>test.txt C:\>TYPE test.txt This is the test target C:\>DIR test.txt Volume in drive C is WiND0WS XP Volume Serial Number is D86F-8B7A Directory of C:\ 06/26/2009 09:15 PM < 25 TEST.txt 1 File(s) 25 bytes 0 Dir(s) 9,065,259,008 bytes free
C:\>ECHO This data is hidden>test.txt:hidden.txt C:\>TYPE test.txt This is the test target C:\>DIR test.txt Volume in drive C is WiND0WS XP Volume Serial Number is D86F-8B7A Directory of C:\ 06/26/2009 09:17 PM < 25 TEST.txt 1 File(s) 25 bytes 0 Dir(s) 9,065,259,008 bytes free
Now, let's see the hidden data:
C:\>DIR test.txt:hidden.txt Volume in drive C is WiND0WS XP Volume Serial Number is D86F-8B7A Directory of C:\ File Not Found C:\>TYPE test.txt:hidden.txt The filename, directory name, or volume label syntax is incorrect. C:\>NOTEPAD test.txt:hidden.txt
Now, lets try hiding something else:
C:\>TYPE WallPaper_1.jpg>test.txt:Wall.jpg C:\>START .\test.txt:Wall.jpg
Let me give you the general syntax to hide any file :
TYPE [data to be hidden]>[target file]:[Alternate stream]
You need to fill in the parts inside . For example,
TYPE Passwords.doc>My_Pic.jpg:MyPasswords.doc will fork My_Pic.jpg with an ADS MyPasswords.doc.
Even exe file can be hidden and *directly* accessed through ADS. For example :
C:\>TYPE Virus>test.txt:MyVirus.exe C:\>START .\test.txt:MyVirus.exe
You can note only use ADS with files, but also with directories ! It can be done this way :
C:\TestADS>ECHO This is hidden inside this directory > :hidden.dat C:\TestADS>DIR Volume in drive C is WiND0WS XP Volume Serial Number is D86F-8B7A Directory of C:\TestADS 06/28/2009 21:37 <DIR> . 06/28/2009 21:37 <DIR> .. 0 File(s) 0 bytes 2 Dir(s) 2,828,603,392 bytes free C:\TestADS>notepad :hidden.dat
(2) Removing attached ADS
Now, suppose you want to delete the alternate data streams from a file without deleting the file itself. So, what you do is you copy the original contents to another file and then delete the original file, which would also delete all ADS. For example :
C:\>REN test.txt temp.txt C:\>TYPE temp.txt>test.txt C:\>DEL temp.txt
(3) Recovering attached ADS
Suppose you want to extract the attached ADS to a separate file. For this you need the *nix utility CAT from http://sourceforge.net/projects/unxutils. Now you can simply retrieve ADS using :
(4) Detecting ADS
There are quite a few tools to detect ADS in Windows. Some popular ones are :
LADS - List Alternate Data Streams by Frank Heyne
Streams.exe from SysInternals:
ADS Spy GUI Scanner:
Crucial ADS GUI Scanner:
ADS Detector for Explorer:
So, we have come to the end of this ADS tutorial. ADS has been extensively used by malicious coders to make viruses, that are difficult to detect. ADS is a potentially dangerous vulnerability in the NTFS, but the security features of the NTFS outweigh this vulnerability.
Thanks all for reading this article
Hope you like it.
Good bye and Take care.