NTFS Alternate Data Streams

The NTFS file system was a remarkable creation for the world of Windows. Windows NT systems have proven their local security largely on the basis of the NTFS file system. It included several new features: quotas, sparse file support, reparse points, distributed link tracking and the Encrypting File System (EFS). What I am going to describe here is not the file system itself, but a little known property of NTFS called ADS. ADS does not stand for Active Directory Services or Asynchronous Digital Systems or Another Dead Soul or anything that whacky. ADS or Alternate Data Stream is any data attached to another file but not within the file itself. Windows implements many of its little known functions like additional file information and tagging files as encrypted using ADS.

One of the most common uses of ADS has to store additional file information like the Authors name, Word count, Pages and other document data of a word file. You can view and edit this information by right clicking a word document >> properties and clicking on the summary tab. In fact any file will have a summary tab on an NTFS drive so that you can indirectly edit the ADS of that particular file. A file without any custom information added, contains a single data stream called $DATA which is the data inside the file itself and is not an alternate data stream. Any other streams attached to it will have the format filename.extension:ADSname:$data. When you open a normal file the default $DATA is read which is the data in the file itself. A normal file will be of the format filename.extension::$Data (Note there is no ADS). Imagine you had a text file full of passwords and you had attached it to explorer.exe, then to access the contents of passwords.txt file you would have to use explorer.exe:passwords.txt:$Data. You can even have ADS for a folder!! In fact any folder on a NTFS system. You could then store your passwords.txt file attached to C:\Windows!!

You can attach any number of files to any single file or folder. That means you could attach a 699 MB DvDrip AVI to a 4 MB Summer of 69.mp3 without increasing the size of your mp3 by a single byte!! Windows does not show the attached file in explorer or by any normal means. The whole 699 MB can be stored on to the hard disk (without anybody knowing) and retrieved later. Since ADS is not stored inside the parent file, the size of the mp3 remains the same!! Although disk space goes down by the same amount.

That kinda sounds far fetched right? Alright lets have a small demonstration. Lets use explorer.exe and passwords.txt

Open Notepad and type the following:
[email protected]
[email protected]#c3sium

These are web services and their respective passwords. You could type in anything you want. Then save the file as passwords.txt in C: drive.

Then go to Start >> Run >> cmd to open the command prompt. cd.. your way to C:\> then type the following:

C:\>type passwords.txt > C:\Windows\explorer.exe:passwords.txt

Delete the original passwords.txt file from C: drive. The above command is self explanatory but for all those who didnt grasp its entirety, heres how it works. The type command is a cmd internal command to display the contents of a file, so type [filename] will display the contents of the text file. The >, also called as the output redirection operator is used to redirect output from one command to another command or file. C:\Windows\explorer.exe:passwords.txt is the ADS to explorer.exe called Passwords.txt. Now your file is safe and since you have attached it to explorer.exe (highly unlikely to be deleted) you can sleep well.

To retrieve the text file or the data inside, you can again use the command prompt or notepad.

Using command prompt:
C:\>more < C:\Windows\explorer.exe:passwords.txt

More is used to display output one screen at a time. Conveniently type does not work to display file contents here. The <, also (you must have already guessed it) called the input redirection operator takes the file contents from the file and gives it to more so it is displayed a (screen) page at a time. To dump it back to a text file use:

C:\>echo | more < C:\Windows\explorer.exe:passwords.txt > Passwords.txt

This is slightly complicated. Echo is used to display whatever is given to it as an argument. Echo Hello will display Hello. The pipe (|) is used to pass the output of the more command to echo and the > is used to dump whatever got echoed to the text file Passwords.txt. Here is a simpler method.

Using notepad:
Go to Start >> Run and type the following.

Notepad C:\Windows\Explorer.exe:Passwords.txt

Notepad should open up displaying the contents of the file. You can then use File >> Save As to save it anywhere you want.

I went ahead and wrote a program that allows you to work with NTFS Alternare Data Streams (ADS) with ease. You can scan your whole hard disk for NTFS ADS, you can create, delete, modify and export streams easily. This application uses native Windows API and hence is pretty fast at it. The application called NTStream is available here


Since ADS is any data attached to another file, it will be deleted only if you delete the parent file or if you use a third party tool to delete it. Always remember the name of the data stream and the parent file to which you attached it. Creating data streams could take up valuable hard disk space (if you are planning to hide large files like movies etc.). You can use ADS to hide any type of data, even executable code. Although thats not a good administrative practice, it can be done. Viruses and worms like Email-Worm.Win32.Dumaru.a and Win2K.Stream use ADS to spread. Use ADS efficiently and non-maliciously, use it to your advantage.