Hiding (And Finding) Malicious Data in NTFS

by Russ Rogers - 12/1/99

Chances are that if you're familiar at all with the UNIX environment, you know that files can be hidden by simply "mounting" another directory over the target. There is also a great method for hiding files under Windows NTFS files systems.

This "feature" of NTFS is definitely not a secret, but it's not talked about much. I think that's because of the implications of it. We're talking about Streams. Streams is the ability to create and access multiple "files" that exist under ONE filename. Technically, they aren't actually files, they are separate streams of data that are associated with one filename through the use of a colon and another name.

For instance, to create a simple stream we use notepad from the command line to make a new text file:

C:\notepad testfile

Now a file named "testfile" exists in whatever directory we were in. We can create yet another datastream and associate it with this same filename, using a unique stream name:

C:\notepad testfile:newstream

The colon attached to the filename designates the different datastreams associated with the filename. This also means that DOS commands (or command.com) can not access those datastreams because they can't parse past the colon in the name. Colons are only used in DOS filenames to qualify the particular drive.

These alternate streams of data are pretty safe from the prying eyes of other users. They can only be viewed by a user with Backup Privileges, which excludes most users. Files like this can be used to store "sniffed" data, keyboard logs, or data that is restricted on the network. Editing a datastream will not alter the visible file size that is available to users on the system.

But streams can be associated with more than just files. They can be attached to directories, too. By executing the following command, we can associate a text file to a datastream within a directory:

c:\notepad :badstuff

We haven't seen the wide use of this form of data hiding, yet. But as time progresses, there is no doubt that this will become more common. System Administrators need a way to check for these streams that normally will not show up. One of the BEST ways to check for these NTFS datastreams if from March Information Systems. It's called StreamFind and is a command line utility that parses through the NTFS table and kicks out a list of all alternative datastreams.

The original home page for March is http://www.march.co.uk , but I've been unable to reach that URL recently.