Welcome to HBH! If you have tried to register and didn't get a verification email, please using the following link to resend the verification email.

File Stegano using ADS


File Stegano using ADS

By ghostghost | 4951 Reads |
0     0

Alternate Data Streams are a largely unused functionality of the Windows NTFS file system. It was initially implemented for support for Macs HFS. The Macintosh Hierarchical File System consists of both a data fork and a resource fork. The data fork is the part that stores the user’s data while the resource fork stores information about the file such as what application was used to create it and thus should be used to open it. Windows, on the other hand only uses the file’s extension to determine what application it should use to open it.

NTFS uses this Mac support by storing the resource fork portion in a hidden stream. This is the Alternate Data Stream. I am not aware of any other program that uses ADS for any legit purposes, however, I may be wrong. As an FYI, *nix file systems do not support ADS.

Now that the boring stuff is over, lets get into it’s practical hacking application. ADS can be used to hide text, other data such as mp3s or videos, and even executables in the alternate stream of a normal file. It becomes a form of steganography. The cool thing is, the file size does not change. This means that if you put two files side by side, one containing regular data and the other containing the same data plus data hidden in the ADS, the two file sizes will be identical. This is unlike image stegano, where a picture hidden inside another picture will change the file size.

Another great feature is that you can view the file using notepad, Word, a hex editor, etc, and you would have no idea that there was information hidden inside the ADS.

From a Forensic standpoint, the only way to identify files that have info in their ADS is to run Encase, FTK, or a stand-alone ADS scanner like LADS against the files.

Let try it out:

Create a text file that contains Hello World:

C:\>echo “Hello World” > ADS.txt

C:\>more < ADS.txt “Hello World”

Creating some hidden text in the ADS:

C:\>echo “This is an ADS example” > ADS.txt:ads

C:\>more < ADS.txt:ads “This is an ADS example”

As you can see, opening up the file in the normal way will display the normal text. However, if you open up the file and indicate the name of the ads you created after the file name, your ADS stream will open up.

Now, lets hide an executable in a regular text file:

Create a text file with some text

C:\>echo “ADS .exe test” > ADS2.txt

C:\>type ADS2.txt “ADS .exe test”

Lets now hide the calculator executable inside our text file

C:\>type c:\WINDOWS\system32\calc.exe > ADS2.txt:calc.exe

We can now start the calculator using the start command

C:\>start .\ADS2.txt:calc.exe

Yahtzee!!! The calculator pops up! Think about some other types of files you can hide inside a benign text file? There are so many practical uses.

Enjoy the many practical ways you can use this technology on your system or someone else’s ;)

Comments
ghost's avatar
ghost 17 years ago

Doesn't work on vista :(

ghost's avatar
ghost 17 years ago

hmmm…hiding text in a file works in Vista (I just tested it)…however, I can\'t seem to get the executable functionality to work :( I'll have to look into this. Oh, I found out that if you do C:\\>dir \/r ADS2.txt in Vista, it will list the ADS\'s that exist in the file…pretty cool

mido's avatar
mido 17 years ago

nice article :) ive rated it very good :P

ghost's avatar
ghost 17 years ago

Thanks mido :)

lukem_95's avatar
lukem_95 17 years ago

I never even knew about this, nice article, could have been better explained though.

ghost's avatar
ghost 17 years ago

Very interesting LanceUppercut…

And figured out ads is an example. you can hide shit in like file.txt:digitalfire

huh what do you know.

ghost's avatar
ghost 17 years ago

*hide shit in like f i l e . t x t : d i g i t a l f i r e

Uber0n's avatar
Uber0n 17 years ago

Hey, this really is an awesome trick :love: thanks Lance!

Shorty626FL's avatar
Shorty626FL 17 years ago

Amazing :D

ghost's avatar
ghost 15 years ago

Great trick! :D Too bad it does not work with exe's on Vista. :(