[an error occurred while processing this directive]

Helping people with computers... one answer at a time.

Alternate data streams are a little known and little understood feature of NTFS that allows information to be effectively hidden within other files.

[an error occurred while processing this directive]

What about the threat of alternate data streams on NTFS file systems?

That's actually an excerpt from a longer question I got last year that I want to address separately.

Alternate data streams are an very interesting feature of the NTFS file system that not many people know about.

The security threat that the question alludes to is that alternate data streams can allow data to be trivially hidden on an NTFS formatted hard disk in a way that is difficult to detect.

First, let's define just what an alternate data stream is.

Think of it as a "file within a file".

To begin with, it's an NTFS-only feature. So if your hard disk is formatted using the FAT file system, then none of this applies to you.

I'll show by example. And unfortunately, for reasons we'll see in a moment, we'll need to do this in a Windows command shell.

First, create a text file with anything in it, using the "echo" command and file redirection:

C:> echo The quick brown fox jumped over the lazy dog. >textfile.txt

As you might expect, that puts the text into the text file "textfile.txt":

C:> type textfile.txt
The quick brown fox jumped over the lazy dog.
C:>

And have a look at the directory listing for the file:

C:> dir textfile.txt
Volume in drive C is LEO
Volume Serial Number is 3007-E4F1

Directory of C:\

06/14/2007 03:35 PM 48 textfile.txt

All is as we would expect.

Now, run this command:

C:> echo Where oh where has my little dog gone? >textfile.txt:hidden

This looks like we're creating a new file called "textfile.txt:hidden", but we're not. We're creating an alternate data stream within the file "textfile.txt" by the name of "hidden".

In fact, we can examine that just like the first:

C:> type textfile.txt:hidden
The filename, directory name, or volume label syntax is incorrect.
C:>

Oh. Apparently we can't do it exactly the same. We can do this, though:

C:> more <textfile.txt:hidden
Where oh where has my little dog gone?
C:>

And the original "default" data stream is still there too:

C:> type textfile.txt
The quick brown fox jumped over the lazy dog.
C:>

And yet, there's only the one file:

C:> dir textfile*
Volume in drive C is LEO
Volume Serial Number is 3007-E4F1

Directory of C:\

06/14/2007 03:39 PM 48 textfile.txt
"... alternate data streams are almost impossible to detect without third party software."

There are two very interesting things to note about that last directory listing:

  • The size of the file is unchanged. In fact, the size (48) reflects only the size of the default data stream. There could very large alternate data streams attached to the file and you wouldn't see it.

  • The timestamp on the file did change when the alternate data stream was added. But that's the only visible indication that anything happened with the possible exception of the fact that free space on the drive in question did go down.

The alternate "hidden" data stream is just that - very well hidden. You wouldn't know to look for it unless ... well, unless you knew to look for it.

The Risk

So that was all an interesting exercise in hiding data, and I'm sure that several folks will now look at hiding sensitive information or their pornography collection in alternate data streams in otherwise innocuous looking files.

But it gets worse.

Let's do this:

c:> type c:\windows\system32\calc.exe >textfile.txt:calc.exe

What this has done is copied the Windows calculator program into an alternate data stream called "calc.exe" inside of "textfile.txt". Once again, aside from it's timestamp changing, "textfile.txt" still looks like a 48 byte text file that contains only one line of text.

And yet, we can now do this:

c:>start c:\textfile.txt:calc.exe

which launches the hidden copy of calc.exe from its alternate data stream inside of "textfile.txt".

Imagine if that weren't calc.exe at all.

Imagine if that were malware.

Alternate Data Stream Limitations

If you copy a file with alternate data streams to another NTFS partition, then the streams are retained. However if you copy the file to a FAT or other file system that does not support alternate data streams, the streams will be silently lost in the copy. Only the default stream will be copied.

Since many programs operate very much like a copy operation, it seems to me that it would be very easy to lose your alternate data streams if you operate on a file that has them. For example when I edited the example textfile.txt in a random text editing program, the alternate streams were stripped off when the file was saved.

The Real Problem

As we've seen support for alternate data streams is sporadic. I couldn't create one in notepad, for example, but it's easy to do in a command shell. You can't "type" one directly, but an alternate data stream is easily created and viewed when used as the target of input or output redirection. And we've just seen how easy it is to run one using the command prompt "Start" command, but you can't just execute it like a normal program by typing it into the Start menu's Run command.

In fact, alternate data streams are simple to use in programs that support it, but very view actually do directly. More to the point, alternate data streams are almost impossible to detect without third party software. Even worse, they're typically not scanned by anti-virus and anti-spyware packages. As a result, not only could data be very effectively hidden on your machine, that "data" could easily include malware.

Fortunately, to date, I'm not aware of any malware taking advantage of alternate data streams.

Solutions?

Alternate Data Streams cannot be turned off.

There are no tools built-in to windows that will let you look for the presence of alternate data streams.

The only solution I'm aware of to date is a third party utility, lads.exe (List Alternate Data Streams). If I run that on the file I've created as my example, I see this:

c:>lads

LADS - Freeware version 4.10
(C) Copyright 1998-2007 Frank Heyne Software (http://www.heysoft.de)
This program lists files with alternate data streams (ADS)
Use LADS on your own risk!

Scanning directory C:\

      size  ADS in file
----------  ---------------------------------
    114688  C:\textfile.txt:calc.exe
        41  C:\textfile.txt:hidden
[an error occurred while processing this directive]

If you like, you can use lads.exe to scan your entire hard drive for files with alternate data streams.

The presence of an alternate data stream does not necessarily indicate a problem. In fact, I found a couple of valid instances on my machine when I scanned. I was surprised, but they were there and they were valid.

The Bottom Line: Should You Worry?

No. Not yet anyway.

Alternate data streams have been around for a long time. Their lack of consistent support across applications is probably their undoing for malware creators as well. However since NTFS has become so popular in recent years, it wouldn't surprise me to see malware start to take advantage of alternate data streams as a way to hide themselves, or the data that they may be collecting.

In the mean time, if you're concerned, use the lads.exe utility to scan your system to see if you have any.

And of course, it's a very handy way to hide information on your machine. It's not bullet proof, as we've seen, but it's certainly one way to keep the presence of certain files or data from being immediately obvious to the casual observer.

Article C3057 - June 14, 2007 « »

[an error occurred while processing this directive]
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

[an error occurred while processing this directive]
8 Comments
[an error occurred while processing this directive]
Dan Ullman
June 15, 2007 8:51 AM

Is there a reason that alternate data streams exist?

[an error occurred while processing this directive]
Leo A. Notenboom
June 15, 2007 9:21 AM

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

To be honest, I'm not sure. I've heard tell that they were an attempt to
provide the same functionality as "forks" I think it is on Macintosh systems at
the time. If so, I think it was doomed for backwards-compatibility reasons.

But I'm not totally sure.

And again, once in, it's incredibly difficult to remove a "feature" -- for
backwards compatibility reasons. :-(

Leo
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (MingW32)

iD8DBQFGcryiCMEe9B/8oqERAnLpAKCKLGKUw9xcIAVVyESHm0PiQENK1QCcCsAS
CEZ/ke2Y8mIxskqIC/RV8gY=
=Csa/
-----END PGP SIGNATURE-----

[an error occurred while processing this directive]
Ken Crook
June 16, 2007 9:32 PM

Just downloaded and installed LavaSoft Ad-Aware2007. On the Settings page there is a button for "Scan Alternate Data Streams". When I saw this I had no idea what it was about. It is a nice coincidence your newsletter has an article on Alternate Data Streams. So there is now at least one way to scan for Alternate Data Streams.

Thank you Leo.

[an error occurred while processing this directive]
George Birbilis
June 17, 2007 2:23 AM

actually there are malware exploiting ADS, else Ad-Aware and other s/w wouldn't be scanning them

[an error occurred while processing this directive]
Michael Dalton
December 11, 2007 8:12 AM

Hello Leo,

The erasure software programme 'Cyberscrub' provides an option to erase Alternate Data Stream files. CyberScrub warns that it will try to save the ADS Main File(s) when it is deleting the others, but it does not guarantee that it will be able to do so. Are these Main Files essential to the healthy operation of the platform (XP) - can I risk their erasure? Can anyone know? If CyberScrub fails to preserve one, some, or all of the Main Files, will these be regenerated, if necessary/essential, at the next boot, or could erasure result in a catastrophe?

It seems a wee bit anomalous that a programme which is designed to execute comprehensive erasure processes cannot in fact do this safely, because of the existence of these files which move in mysterious ways.

Cyberscrub searches for, and identifies, the ADS files on your system. The ADSs it finds on mine are as follows:-

C:\Documents and Settings\All Users\...1: :encryptable $DATA (1 entry)

C:\Documents and Settings\My Name\...1 :Zone Identifer:$DATA (3 identical entries)

C:\Documents and Settings\My Name\...1 :Favicon:$DATA (1 entry)

C:\RECYCLER\S-1-5-21-124738149-13...1 :Zone Identifier:$DATA (3 identical entries)

C:\System Volume Information\_restor... :Zone Identifier:$DATA (4 identical entries)

and then dozens of these:-

C:\SystemVolume Information\_restor :a:$DATA

Perhaps it is all imponderable.

Best wishes,

MD

[an error occurred while processing this directive]
David Spector
November 30, 2009 5:56 AM

Alternate data streams are used by some antivirus software (Kaspersky Labs) to store a unique "hash" value that works as a short signature that represents the file contents. The allows the antivirus program to detect any simple change in contents that does not also update the signature stream. The cost of this otherwise excellent feature is the expansion in disk size of every file.

By the way, the excellent freeware program FileAlyzer 2 has a tab for showing the Alternate data streams in any file, including special (inaccessible) streams such as Security and Object identifier. The default stream type is Alternate.

Alternate data strings can be nested. Internally, an alternate string named foo is represented as :foo:$DATA, so some alternate stream programs may use this syntax.

In Windows, Microsoft Word uses an alternate data stream to store extra information about a file, such as the Author name. Also, downloaded files are marked by the presence of an Alternate-type stream named :Zone.Identifier, which contains the text "INI file"

[ZoneTransfer]
ZoneId=3

to indicate which "Zone" was used for the download (3 means "Internet"). On the Properties context dialog box for the file, you can click Unblock to delete this stream.

[an error occurred while processing this directive]
Nancy
April 29, 2012 12:43 PM

I just got an extra kiss from my husband for finding your site! Don't expect a comment.
Thanks

[an error occurred while processing this directive]
Er1c
December 1, 2012 5:04 PM

"To begin with, it's an NTFS-only feature." - Not true. In WINDOWS, it is a ntfs only feature. The macintosh OS7/8/9 and OS/2 HPFS used ADS as well.

Also, the easiest way to remove them is to move the file to eFat, FAT16 or FAT32 partition, which ignores and drops ADS, then move it back. :D

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.

[an error occurred while processing this directive]
[an error occurred while processing this directive]