Hiding files in NTFS using alternate data streams

I have been doing some research on alternate data streams in NTFS and wanted to know if anyone has more info on them. To give you guys a bit of background :

Alternate file streams are a way to store files in an NTFS partition so as to be compatible with the Macs HFS file system, but windows does not see these files at all!

I think an example would demonstrate this much better - go to a dos prompt in an NTFS partition and do the following :
[code:1]
c:\> echo normal stream >> test.txt
c:\> dir test.txt

10/07/2003 11:59a 16 test.txt
1 File(s) 16 bytes
0 Dir(s) 3,132,891,136 bytes free

c:\> more < test.txt
normal stream

c:\> echo hidden stream >> test.txt:stream

c:\> dir test.txt

10/07/2003 11:59a 16 test.txt
1 File(s) 16 bytes
0 Dir(s) 3,132,891,136 bytes free


<<note that the file size does not change>>

c:\> more < test.txt
normal stream

c:\> more < test.txt:stream
hidden stream

[/code:1]
Basically the file is 'hidden' behind the test.txt in a hidden stream.. its invisible to the operating system unless you know how to get at it. We use the 'more' command instead of 'type' as type does not understand file streams.. most windows commands don't.

This raises lots of interesting possibilities as those who know about this -- usually top notch crackers -- can hide files right under your nose and you would have no idea ! I have only seen this once.. a network sniffer hidden behind notepad.exe ! There was of course no visible indication of the file being present until you actually searched for the hidden stream.

What I wanted to know is how do you delete, or copy hidden streamed files ? I know that there are a few utilities that can show you the alternate streams, but I need to manipulate these streams.

Its quite scary isn't it ? Microsoft hasn't publicised this wonderful 'feature'. There are a couple of papers that go into detail, I haven't read through them yet as I'm at work.

www.ntfs.com/ntfs-multiple.htm
patriot.net/~carvdawg/docs/dark_side.html
www.tvwug.org/files/ntfs-ds.pdf
support.microsoft.com/support/ kb/articles/q105/7/63.asp

Cheers,

Sahir.

Ps. using the code BB tags formatted that example nicely.. it works well for ascii diagrams as well. Otherwise the board normally strips out the whitespace.

Hey,

When you finishe your research, care to post it? Or mail it to administrator@huislan.no-ip.com ?

I'm very interrested in it as well. If I find something I will post it...ok.

Greetz,
SixFive7

Here are some other good links I found:
www.dmares.com/maresware/html/ads.htm
www.giac.org/practical/Charles_Smith_GSEC.doc

And here are two programs to find ADS
www.heysoft.de/nt/ep-lads.htm
www.jsiinc.com/SUBF/TIP2800/rh2808.htm


Im still searching for a tool that manipulates the streams easily, rather than just listing them.. though I think it should be quite easy to code one, maybe if I get some time I'll sit down and do it.

Cheers,

Thanx Sahirh!

Let me know if you made your program, or found one....
I'l promise you i'l do the same, I might code a program myself too, since I found out I can use it for school puposes as well.

Thanx for the great help so far!

Greetz,
SixFive7