Alternate Data Streams in NTFS
*What is NTFS? It is the abbreviation of New Technology File System - Windows NT's preferred file system.
*What is an alternate data stream (ADS)? In NTFS, a file consists of different data streams. One stream holds the security information (access rights and such things), another one holds the "real data" you expect to be in a file. There may be another stream with link information instead of the real data stream, if the file actually is a link. And there may be alternate data streams, holding data the same way the standard data stream does.
What is wrong with alternate data streams? I could say: Nothing, they work as expected and as documented (yes, Microsoft did document this feature). But stop - there is something wrong: They are totally hidden. You can have a file with 1 byte in the official main data stream and some hundred MB in one or more alternate data streams. What do you expect the dir command, file manager or explorer to show as the size of this file? It is 1 byte!
That means a user can hide quite a lot of data in alternate data streams and nobody will know. Even guest can create such streams in every file where he has write access for.
Where can I find more information regarding ADS? See The Dark Side of NTFS by H. Carvey http://www.infosecwriters.com/texts.php?op=display&id=53
*How does somebody create an ADS? You can do it on the command prompt, like notepad visible.txt:hidden.txt. This will create an hidden stream hidden.txt in the file visible.txt. It doesn't matter if the file exists or not.
*How does somebody copy data into an ADS? type atextfile > visible.txt:hidden2.txt. This will create another hidden stream hidden2.txt in the file visible.txt.
*How does somebody copy text data from an ADS into a "normal" file? more < visible.txt:hidden2.txt > newfile.txt. This will create a file newfile.txt from the hidden stream hidden2.txt in the file visible.txt.
*How does somebody copy binary data from an ADS into a "normal" file? cat visible.txt:hidden.exe > hack.exe. This will create a file hack.exe from the hidden stream hidden.exe in the file visible.txt. (Cat is a tool from the Resource Kit.)
*How does somebody delete an ADS? Let us assume you know there is a file important.exe with an ADS attached to it. The file is very important and the ADS very dangerous. You need to hold the main stream and delete the ADS. Let us assume there is no FAT drive on your network, otherwise you could move the file to this drive and than move it back again. All you need to do is: ren important.exe temp.exe cat temp.exe > important.exe del temp.exe
The method above does not work when the ADS is attached to a directory. If you need to remove, for instance c:\Windows:harmful.exe without reinstalling Windows, you could use this trick. (If you use NT 5.x, you need a copy of Notepad.exe from NT 4!)
- Open the ADS with Notepad: C:\NT4Tools\Notepad.exe c:\Windows:harmful.exe
- Delete the entire content of the ADS
- Close notepad. It will ask whether you want to save your changes
- Answer YES
- Notepad will tell you that the file is empty and that it will delete it
Now you are done, the ADS is gone.
Can somebody add an ADS to a directory entry instead of a file? Yes, it works the same way.
Programs to read and modify ADS
http://technet.microsoft.com/en-us/sysinternals/bb897440.aspx
http://www.isgeo.kiev.ua/shareware/index.html
http://www.heysoft.de/nt/lads.zip
http://code.google.com/p/ntfs-streams/wiki/AboutNTFS_Streams
http://support.kaspersky.com/faq/?qid=193238621
http://www.securityfocus.com/infocus/1822
Types of ADS
favicon -> Forum.url:favicon:$DATA
It does no good to clean the ADS on items like the one above because as soon as you go to
webpage again, IE7 will store the favicon again. So these have to be ignored as an
"annoyance" logged item.
KAVICHS is nothing but service information recorded in the file stream from Kaspersky (ver 5) These can cause a different virus scanning program to crash your computer so should be removed if you are not using KAS http://support.kaspersky.com/faq/?qid=193238621
Zone.Identifier -> :Zone.Identifier
26 bits that holds: [ZoneTransfer] ZoneID=3, This is Win XP and newer which says that the
file was downloaded using Internet Explorer from Zone 3 (Internet).
If the sum of available and used storage on a hard disk is much less than it's size, check if and where there are alternate data streams on my NTFS disks!
http://www.heysoft.de/nt/lads.zip
Command line tool called LADS (List Alternate Data Streams) that scans the entire drive or a given directory.
It lists the names and size of all alternate data streams it finds. This software is provided "as is", without warranty of any kind! Use it on your own risk! The program is a tool for Administrators.
Example commands:
C:\TEMP\t>echo Hello > t C:\TEMP\t>echo My Secret > t:secret (it does not find the ADS C:\TEMP\t\t:secret!)
With the second command, you did not create an ADS, but you did create a file secret on drive t:\ instead.
Use path and file name and try again: C:\TEMP\t>echo My Secret > C:\TEMP\t:secret
or do it the short way: C:\TEMP\t>echo My Secret > .\t:secret
LADS version 2.10 and above calculates another sum of the file sizes of a directory than version 2.0 did and has been optimized for fast execution. When possible, not every file will be scanned. The only disadvantage is the missing possibility to find out the size of every file header, which is now neglected when calculating the sum of used space.
The program uses some API functions of Windows NT, therefore it needs to run under some kind of Windows NT (as NT4, W2K or WXP).
In NTFS, every stream of a file has a header. LADS reads all these headers and shows only those that belong to an ADS.
The program changes nothing in the file system. It only reads the available information with the help of the appropriate API functions.
HIDDEN TEXT
mkdir c:\test notepad c:\test:hidden.txt //write whatever you want in the notepad and save it
cd c:\test dir //notice no file sizes! more < c:\test:hidden.txt //see what's inside the file
HIDDEN EXECUTABLE BINARY
type c:\windows\system32\notepad.exe > c:\test:np.exe //create a hidden executable file
dir c:\test start c:\test:np.exe
c:\apps\lads.exe c:\test //notice that the file IS there! c:\apps\streams -d -s c:\test //remove all streams (including sub dirs)
MANUALLY REMOVE AN ADS
The method above does not work when the ADS is attached to a directory. If you need to remove, for instance c:\Windows:harmful.exe without reinstalling Windows, you could use this trick. (If you use NT 5.x, you need a copy of Notepad.exe from NT 4!)
- Open the ADS with Notepad: C:\NT4Tools\Notepad.exe c:\Windows:harmful.exe
- Delete the entire content of the ADS
- Close notepad. It will ask whether you want to save your changes
- Answer YES
- Notepad will tell you that the file is empty and that it will delete it
Now you are done, the ADS is gone.
NOTE that unprintable characters in file names may prevent some ADS scanners from finding them...
*What possibilities does Microsoft provide to check if there are alternate data streams on my NTFS disks? Do you expect they care?
You are right ;-) Just visit http://msdn2.microsoft.com/en-us/library/ms810604.aspx. Besides some background information and sample code they provide a download NTFSext.exe which contains, among others a file strmext.dll. Just put it in the system32 folder and run the command
regsvr32 StrmExt.dll
Now you have a new tab in the file properties of Windows Explorer. It does not help much to search for ADS, but is nice if you already know a file which has an ADS.
To make the tab visible for folders, you need to add the following Registry key:
HKEY_CLASSES_ROOT\Directory\shellex\PropertySheetHandlers{C3ED1679-814B-4DA9-AB00-1CAC71F5E337}
To make the tab visible for root folders, you need to add the following Registry key:
HKEY_CLASSES_ROOT\Drive\shellex\PropertySheetHandlers{C3ED1679-814B-4DA9-AB00-1CAC71F5E337}
And starting with version 6.0 (Vista), the DIR command of Windows knows the switch /R.
LADS found an ADS of length 0 byte. I am unable to view the contents of this file, text or otherwise. I tried to copy the text data from an ADS file as discussed above, no success
There is never any content when the size is 0 Byte, ok?
I'm not sure if you got my entire message, here is what I wrote: LADS reported an ADS files, 0 bytes in size, on my computer.
Well, I got it. To better understand what I said, do the following:
- Start Windows Explorer
- Select a folder of your choice in the left pane
- Select File - New - Text file
- You will get a new file with a size of 0 byte
- Now try to view the content of this file - probably you do see the same like when you are viewing an ads of the same size - nothing?
Is it more clear now? 0 byte = NOTHING !!!
TO REMOVE KAV ICHS STREAMS quickly
USE the ads stream revealer lads, then use the sys internals stream remover
ads-sys-internals-streams.exe -s -d c:\