inSecure Blog | Spoofedreality

If you’re running a modern version of Windows, you can use a little-known feature called Alternate Data Streams to hide your confidential files inside other files or folders.

What the heck are Alternate Data Streams?

For many years, a feature called Alternate Data Streams (ADS) has been supported by drives formatted as NTFS (Microsoft’s so-called New Technology File System, which is typical of Windows NT, 2000, XP, and later).

Using NTFS, which is an improvement over the older FAT-32 file system, data can be stored in a separate “fork” or “stream” of any file or folder. This makes Windows more compatible with Mac operating system files (which consist of a resource fork and a data fork). The separate stream can also be used to store other things, such as information you can enter on the Summary tab of some files’ Properties dialog boxes.

When data is stored in an NTFS stream, it is essentially invisible to Windows Explorer, text searches, and most of Windows’ other routine file functions. For example, you can store a 5MB .zip file inside the stream of a 1K text file. When you do, Windows Explorer still displays the size of the text file as just 1K!

Because streams are such an effective hiding place, some malware may try to hide in the NTFS stream of an otherwise innocent-looking file. Fortunately for honest Windows users, the “stream” portion of a file is lost during browser and FTP downloads. This means that streams aren’t typically used by malware to distribute itself, but to hide files within streams only after the malware has already infected your system.

Because NTFS streams are hidden from most Windows file functions, it’s a good idea to make sure that your antivirus software is capable of scanning for malware hiding in ADS. Major antivirus products, such as ZoneAlarm and McAfee Antivirus, have this capability.

If you have a legitimate reason to hide files — a parent who doesn’t want children or casual visitors to run across certain information, for example — you can easily copy any file into a stream using simple commands that are built into Windows.

It’s true that you can protect private information by converting it, for example, into a password-protected .zip file. But if this file can be seen by others, and has a name like ProposedMerger.doc, your co-workers could ask you to explain it or decrypt it. Or an intruder could use password-guessing tools to try to open the file, which could expose you to insider-trading charges. If the encrypted file is hidden within a stream, it’s less likely to be seen by casual users in the first place.

Removing or copying your data out of a stream requires special tools. Fortunately, these products are free and, as I explain below, easy to download and use.

How to create a file with a hidden stream
Keep reading…>