The Ultimate guide to Data Hiding using alternative data stream

Before we begin our discussion on data hiding using alternative data stream files, we need first to briefly describe the file system structure that supports this feature which is the NTFS file system.

What is NTFS File System?

NTFS (New Technology File System) is a proprietary file system developed by Microsoft Corporation for its newer Windows operating systems, beginning with Windows NT 3.1 and Windows 2000, including Windows XP, Windows Server 2003, Vista, 7, server 2008, Windows 8 and all their successors to date.

NTFS supersedes the FAT file system as the preferred file system for Microsoft’s Windows operating systems. NTFS has several improvements over FAT and HPFS (High Performance File System), such as improved support for metadata, compression and auditing, and the use of advanced data structures to improve performance, reliability, NTFS supports large volumes and powerful storage solution such as RAID, plus additional extensions, such as security access control lists (ACL) and file system journaling. NTFS has the capability to encrypt or decrypt data, files, or folders; it uses a 16-bit Unicode character system set to name files and folders allowing users from all over the world to use their native language to name files & folders. The main purpose from creating this new file system was maintaining the compatibility with Macintosh Hierarchical File System (HFS) and to store additional data about each file called the metadata and this what we are going to use to hide our data.^[1][2]  

Note: during this article I use the shortcut ADS instead of Alternate Data Streams.

What is an alternate data stream (ADS)?

In NTFS, a file consists of different data stream, one stream is the primary unnamed stream which contains the visible data that we expect to see in a file after opening it, this stream is usually called the default stream and it is referenced when no stream name component is specified as a part of the pathname. The second stream is the alternative data streams; a file can have more than one ADS stream (Microsoft does not supply the number of allowed ADS files per a single file but a test conducted by Jason Fossen suggests that the maximum is 4106 regardless of the size of the ADSs themselves^[8]), for example: one stream can hold file security information such as access permission , another stream can hold other meta data about the file, for example: Word file can have a number of properties like: author , number of words , number of pages , date created and so on. These alternative data streams could be accessed by referring to their names, all these streams are linked to the main default stream of one file (normal visible file).

ADS files has the ability to be appended to existing files without affecting their size or functionality, ADS files also are not visible to windows explorer or to (DIR) command (unless we use the /R switch).If we append a malicious software (virus or Trojan) as an ADS file, it could be executed by using the (start) command (only windows XP supports executing ADS binary files through this command , newer Windows OS require another command to handle this issue as we will see later on), once executed by the user ,it can install the malicious software on its PC with silent installation , no process will appear in the process list of the Windows task manager as the program which is used to open the original file (default stream) will appear in the process list but not the malicious program, beside we can attach the malicious program to a legitimate process and executing it making it more difficult to detect.

Figure 1: default unnamed stream (Word file) associated with four ADS files (named streams)[3]

As we note from figure 1, we have 4 ADS files for a single file, any of the streams (from Stream1 to Stream4) can hold malicious software (Trojan, rootkit, virus) appended to the default main stream (visible file OriginalFile.docx) without affecting its size or function.

How we can use ADSs to hide files?

To show how we can use ADS to hide files, I will make an example. Create a new folder under the C: drive and call it (ads), open command prompt and change your working directory to (C:ads) folder. Create a text file called (outerfile.txt) using DOS as follow:

Figure 2: Creating new TXT file using command line

I marked the content of the file with green, the(echo) and (>)command tell DOS to create a file with the specified contents and output the result to the file named (outerfile.txt) , this file will be outputted on (C:ads) as it is the current working directory as appeared in DOS window.

Figure 3: Creating hidden ADS file and appending it to outerfile.txt

Now I want to create the hidden ADS file, I use the same commands to create another text file, the colon is the syntax used to create an ADS file. Use the (dir) command to check all the files existed inside the (ads) folder as follow:

Figure 4: listing c:ads directory files

We have only one file called (outerfile.txt), while the other file (ADS file) is hidden.

The file hidden in the ADS cannot be seen using (dir) or Windows Explorer, but Notepad can open it and display the contents of the file.

Figure 5: Opening hidden ADS file

Figure 6: hidden.txt opened using notepad from command line

In the same way we can copy one file to become hidden inside another file using ADS as follow:

Figure 7: hiding a file within another file using ADS technique

(Type) command is used to copy the (myfile.txt) content to be included in the alternative stream of (outerfile.txt) under the name (hiddenfile.txt).

You can make a ADSs in not only files, but also directories, here is an example:

Figure 8: Hiding data in a directory using ADS

First line I created a directory on the C: called (myfolder),Second line I changed my working directory to C:myfolder , third line I created a hidden text file (hidden.txt) using the colon: and hide it inside the (myfolder) folder as a file stream which is my working directory. Using the DIR command alone does not show the hidden stream associated with current directory, we should use the /R switch to make it visible.

We can open this hidden file using notepad as we did previously

Figure 9: Open hidden ADS file attached to a folder

 Hiding Executable in ADS files:

The most interesting feature about NTFS file system and its associated ADS files is the ability to hide executable (binary files) inside the stream, Windows XP supports running executable within ads stream files directly using the (start) command, however beginning from Windows vista, Microsoft has removed this ability for security purposes, however we are still able to hide our binary file and executing it through using symbolic link or WMIC command prompt in newer Windows OS.

Let us first learn how to hide an executable file within ADS file, I will use the standard Windows notepad program and hide it inside standard Windows calculator.

Figure 10: Hiding notepad.exe inside calc.exe

Now we can execute (myNotepad.exe) hidden inside the file stream of calc.exe

Figure 11: Running hidden notepad.exe using the start command under Windows XP

The visible process will appear as follow on Windows XP task manager:

Figure 12: calc.exe process in task manager after executing it on Windows XP

The (start) command works on Windows XP only when used to lunch binary files in hidden ADS, it is not supported by Vista, 7 and later versions, however we can still execute binary files stored inside ADSs stream through using symbolic links or WMIC command, the following lines describes these methods under Newer Windows OS (Vista , 7 , 8).

Let’s examine a scenario where an attacker successfully compromise a remote system or simply gain physical access to the victim PC, the attacker wants to run a password cracking tool in stealth mode without leaving any traces, the password cracking tool should be hidden in ADS file and executed from a USB drive formatted as NTFS, a list of saved passwords should be stored as a text file hidden inside an ADS file.

Nirsoft http://www.nirsoft.net develops many windows portable applications specialized in password recovery, one of these tools called MessnPass and it is specialized in recovering passwords of all famous instant messenger applications, we will use this tool in our example under Windows 7:

Figure 13: Hiding mspass.exe inside the ADS of a text file and creating symbolic link point back to it

First we hide mspass.exe into an ADS hidden stream of outerfile.txt file under the name password.exe , next step we create a symbolic link (run.exe) , as we are not able to execute binary files inside the hidden stream using the (start) command under windows 7 , but we still able to execute the symbolic link (run.exe) , the mspass.exe tool has a specific switch to store its output into a text file (/stext) , we use this switch to store all recovered passwords into a text file (P@sswordslist.txt) and hide this file directly inside another one (garden.doc).

Figure 14: Executing password cracking tool and hiding its output inside a hidden ADS stream

Figure 15: Viewing the list of cracked passwords inside garden.doc hidden stream

If you do not like using symbolic links to run hidden executable inside your ADS stream files, another method allows you to run the ADS hidden executable directly using the WIMIC command:

Figure 16: Using WMIC to execute binary files inside hidden streams

In the same way, we can hide any type of security programs in ADS files and execute it from within our USB flash drive.

Important notes about using ADS in hiding files:

• If we delete the main file (primary stream) , the associated ADSs files will be deleted either,
• We cannot set permission or any additional attributes to the ADS file, because ADS relies on the attributes associated with the primary stream file,
• Any new permission or attributes (like the hidden attrib) to the main file (primary stream) will also affect the ADS associated files,
• ADS files can only be created on system with NTFS file formatting, FAT file system and other types of file systems are not supported,
• The primary stream could be any type of files like PDF, folders, MS office files, videos, images, executable etc…,
• Most antivirus software do not scan Windows Alternate Data Streams for virus, and other malicious code by default, if you suspect a file is containing a malicious code in its ADS file make sure to use “Method one” described below in the “How to delete ADS files”, the first method is the best secure one as some ADS files could be hidden from the detection tools either,
• Windows does not provide any built in utilities to detect the existence of ADS files,
• we can attach more than one hidden ADSs file into one primary stream (We can have 4106 ADS files according to Jason Fossen study^[8]).

How to delete ADS files:

In case we want to delete the ADS file and we still want to keep the main stream file we can do the following:

Mehtod1:

Copy the main stream file to another disk which has FAT formatting, if the file is not too big we can move it to a flash memory with FAT file system and then moving it again to the NTFS partition, in this case the hidden ADS stream is deleted because it will not move to the FAT partition.

A warning message appears when trying to copy a primary file stream associated with ADS file into FAT partition

Figure 17: Warning message after moving a file with ADS stream to a partition with FAT formatting

This is the best method as it can delete all ADS files even thought it was from the stealth type (as we will see in next section on stealth ADS files).

Mehtod2:

The second method to delete the ADS file while preserving the primary stream is through copying the main file into a temporary file and then deleting the original file and renaming the temporary file again to its original file name.

Detecting ADSs file stream:

Windows operating system does not provide any utility to detect ADSs files on NTFS disks; fortunately we have many free tools for doing this job

LADS

This program lists all ADS files of a NTFS directory; it works from command prompt as follow:

Figure 18: Using Lads.exe tool to check hidden ADS files

Lads program is located at C: drive, we navigate to the folder where we want to check the ADSs file stream and executes the lads.exe tool , the above results appears.

Streams.exe from SysInternals:

We can execute this tool from the command line as follow to detect hidden ADSs streams in files in specific folder/drive

Figure 19: Using streams.exe from system internals to detect ADS files

In Figure 22 Iam checking (C:ads) for hidden ads streams.

In this tutorial , I demonstrate how to use ADS file streams to hide files , folder and executable inside other files , we also cover how to execute EXE files hidden inside ADS streams of other files.

In the next part of this tutorial , Iam going to cover Stealth Alternative data Streams , so we can create stealthy ADS files and hide our data inside it. Check this tutorial under Data hiding techniques section.

[important]

On the Web:

1. [1]Microsoft TechNet <online>, How NTFS works. Available at: http://technet.microsoft.com/en-us/library/cc781134%28v=ws.10%29.aspx [Accessed 2014/03/18].
2. [2]Wikipedia website <online>.NTFS files system. Available at: https://en.wikipedia.org/wiki/NTFS [Accessed 2014/03/18].
3. [3]Figure 1: adopted from Microsoft TechNet website <online>. Available at: http://technet.microsoft.com/en-us/library/cc781134%28v=ws.10%29.aspx [Accessed 2014/03/18].

[/important]