Introduction Hello everyone. Good morning/afternoon/evening/whatever :p First of all, thank you all for your feedback on my articles. :pleased: This is my 2nd article in the OS/Windows section. I hope this article will be enjoyable and useful for all. Some years back, I badly required a satisfactory method to store my passwords. I used to create a password protected document with my login details, but many times I used to forget the password to the protected file. So, later I switched to hiding my passwords "behind" my photo (a jpg file) using steganography. But the passwords could be read with hex editor Finally when I heard about ADS, I found it the most satisfactory. In this article, I will be talking about "hiding" data without using steganography. The whole concept behind this is the use of Alternate Data Streams (ADS). For those who don't know what steganography is, here is what Wikipedia mentions : Steganography is the art and science of writing hidden messages in such a way that no one, apart from the sender and intended recipient, suspects the existence of the message, a form of security through obscurity. The word steganography is of Greek origin and means "concealed writing". Alternate Data Streams Today most Windows users rely on NTFS. ADS is a relatively unknown feature of NTFS. ADS is the ability to fork data (streams) into existing files. ADS capabilities are found in all versions of NTFS. ADS was originally created to allow for compatibility with the HFS : Macintosh Hierarchical File System, in which file information is sometimes forked into separate resources. Alternate Data Streams have come to be used legitimately by a variety of programs, including native Windows operating system to store file information such as attributes and temporary storage. Advantages and Dis-advantages of ADS ADS has many advantages (even over conventional steganographic methods) : ADS does not increase the size of the target file, no matter how much data you hide. (believe me !) ADS cannot be detected with MOST file browsers like Windows Explorer or the DOS command DIR. ADS does not affect the functionality of the target file inside which data is hidden. You can work with the hidden data directly without extracting it again and again. You do not need any special software to read/write hide data using ADS. Plain old MS-DOS ("cmd.exe") is all that you need ! ADS does not involve any sophisticated hacking skills or anything like that. Moving/Copying the file into which data is hidden, also moves/copies the hidden data. Using ADS, you can hide any kind of data : binary/text streams. Dis-advantages of ADS : ADS changes the time stamp of the target file into which data is hidden. ADS is not supported on all systems. So, copying a file with ADS to such a system will remove all the hidden streams. Time for some Action (1) Hiding data using ADS So, ready to test the newly learnt skill ? OK. Gear up "cmd.exe". You heard it right, "cmd.exe" : the DOS command prompt. [[ In all the codes below, BLUE TEXT represents computer generated ones and GREEN TEXT represents the ones, you are expected to type ]] To begin, create a text file named test.txt and check it's contents : C:\>ECHO This is the test target>test.txt C:\>TYPE test.txt This is the test target C:\>DIR test.txt Volume in drive C is WiND0WS XP Volume Serial Number is D86F-8B7A Directory of C:\ 06/26/2009 09:15 PM < 25 TEST.txt 1 File(s) 25 bytes 0 Dir(s) 9,065,259,008 bytes free Now, let's put some secret data into this test target and check it's contents: C:\>ECHO This data is hidden>test.txt:hidden.txt C:\>TYPE test.txt This is the test target C:\>DIR test.txt Volume in drive C is WiND0WS XP Volume Serial Number is D86F-8B7A Directory of C:\ 06/26/2009 09:17 PM < 25 TEST.txt 1 File(s) 25 bytes 0 Dir(s) 9,065,259,008 bytes free Note that only the time stamp has changed, but the file size (25 bytes) and the file contents are *exactly* the same ! Now, let's see the hidden data: C:\>DIR test.txt:hidden.txt Volume in drive C is WiND0WS XP Volume Serial Number is D86F-8B7A Directory of C:\ File Not Found C:\>TYPE test.txt:hidden.txt The filename, directory name, or volume label syntax is incorrect. C:\>NOTEPAD test.txt:hidden.txt Did you note that the DOS commands DIR and TYPE do not detect the hidden data, but notepad did ! Now, lets try hiding something else: C:\>TYPE WallPaper_1.jpg>test.txt:Wall.jpg C:\>START .\test.txt:Wall.jpg I first hid a wallpaper inside test.txt and then I try to view it directly. And, it works !! Let me give you the general syntax to hide any file : TYPE [data to be hidden]>[target file]:[Alternate stream] You need to fill in the parts inside . For example, TYPE Passwords.doc>My_Pic.jpg:MyPasswords.doc will fork My_Pic.jpg with an ADS MyPasswords.doc. Even exe file can be hidden and *directly* accessed through ADS. For example : C:\>TYPE Virus>test.txt:MyVirus.exe C:\>START .\test.txt:MyVirus.exe The above code will embed fork text.txt with Virus.exe and will directly run it from the ADS MyVirus.exe. You can note only use ADS with files, but also with directories ! It can be done this way : C:\TestADS>ECHO This is hidden inside this directory > :hidden.dat C:\TestADS>DIR Volume in drive C is WiND0WS XP Volume Serial Number is D86F-8B7A Directory of C:\TestADS 06/28/2009 21:37 <DIR> . 06/28/2009 21:37 <DIR> .. 0 File(s) 0 bytes 2 Dir(s) 2,828,603,392 bytes free C:\TestADS>notepad :hidden.dat See that the DIR command does not show the hidden.dat, but notepad opens it. (2) Removing attached ADS Now, suppose you want to delete the alternate data streams from a file without deleting the file itself. So, what you do is you copy the original contents to another file and then delete the original file, which would also delete all ADS. For example : C:\>REN test.txt temp.txt C:\>TYPE temp.txt>test.txt C:\>DEL temp.txt This would rename test.txt to temp.txt first, then copy its contents to a new file named test.txt and then delete the original temp.txt. (3) Recovering attached ADS Suppose you want to extract the attached ADS to a separate file. For this you need the *nix utility CAT from http://sourceforge.net/projects/unxutils. Now you can simply retrieve ADS using : C:\>CAT "test.txt:hidden.txt">"Recovered.txt" This will recover data from the ADS hidden.txt to Recovered.txt. (4) Detecting ADS There are quite a few tools to detect ADS in Windows. Some popular ones are : LADS - List Alternate Data Streams by Frank Heyne http://www.heysoft.de/en/software/lads.php Streams.exe from SysInternals: http://www.sysinternals.com/ntw2k/source/misc.shtml#streams Crucial ADS GUI Scanner: www.crucialsecurity.com/downloads.html ADS Detector for Explorer: http://www.codeproject.com/csharp/CsADSDetectorArticle.asp Conclusion So, we have come to the end of this ADS tutorial. ADS has been extensively used by malicious coders to make viruses, that are difficult to detect. ADS is a potentially dangerous vulnerability in the NTFS, but the security features of the NTFS outweigh this vulnerability. Thanks all for reading this article Hope you like it. Good bye and Take care.