One popular method used in Windows Systems is the use of Alternate Data Streams (ADS). A relatively unknown compatibility feature of NTFS, ADS is the ability to fork file data into existing files without affecting their functionality, size, or display to traditional file browsing utilities like dir or Windows Explorer. Found in all version of NTFS, ADS capabilities where originally conceived to allow for compatibility with the Macintosh Hierarchical File System, HFS; where file information is sometimes forked into separate resources. Alternate Data Streams have come to be used legitimately by a variety of programs, including native Windows operating system to store file information such as attributes and temporary storage.
Common DOS commands like "type","echo" are used to create an ADS. These commands are used in conjunction with a redirect [>] and colon [:] to fork one file into another.
Example:
“type c:\anyfile.exe > c:\winnt\system32\calc.exe:anyfile.exe”
(or)
echo "ads stream" > calc.exe:mystream
will fork the common windows calculator program with an ADS “anyfile.exe.”
Alarmingly files with an ADS are almost impossible to detect using native file browsing techniques like command line or windows explorer. In our example, the file size of calc.exe will show as the original size of 90k regardless of the size of the ADS anyfile.exe. The only indication that the file was changed is the modification time stamp, which can be relatively innocuous.
Unfortunately, it is virtually impossible to natively protect your system against ADS hidden files if you use NTFS. The use of Alternate Data Streams is not a feature that can be disabled and currently there is no way to limit this capability against files that the user already has access to.
Creating an Alternate Data Stream:
C:\>echo Hidden text > test.txt:hidden
The file appears to be empty, though as detailed below, the metadata is intact and associated with the file:
C:\test>dir test.txt
06/01/2011 01:33 PM 0 test.txt
Viewing an Alternate Data Stream:
The metadata can be viewed by redirecting from it to more:
C:\test>more < test.txt:hidden
Hidden text
The name and content of the ADS can be anything :
C:\test>echo Arbitrary string > test.txt:arbitraryName
C:\test>more < test.txt:arbitraryName
Arbitrary string
Listing Files With Alternate Data Streams:
On Windows Vista and later, a list of alternate data streams can be obtained using 'DIR /R' :
C:\test>dir test.txt /R
06/01/2011 01:33 PM 0 test.txt
38 test.txt:arbitraryName:$DATA
28 test.txt:hidden:$DATA
On earlier operating systems, the SysInternals utility Streams can be used:
C:\test>c:\tools\SysInternals\streams.exe test.txt
Streams v1.56 - Enumerate alternate NTFS data streams
Copyright (C) 1999-2007 Mark Russinovich
Sysinternals - www.sysinternals.com
C:\test\test.txt:
:arbitraryName:$DATA 38
:hidden:$DATA 28