Alternate data streams in NTFS

[KingKrool]

Go to the command line and go to an NTFS drive.
Give the command: "notepad test.txt" (remove the quotes)
type some text in (make it something like "this is first line") and save it.
Having exited from notepad go back to the command line
type "dir" and see the size of this test.txt
now give this command: "notepad test.txt:hidden.txt"
write some text like this is hidden file and save and exit.
Go to command line and try "dir" again.
No new file, and the size of test.txt is the same as before.
Give the command "type test.txt", it will display the old file
Give the command "type test.txt:hidden.txt", it should give an error.
Now try "notepad test.txt:hidden.txt"
The hidden file reappears!
This is known as alternative data streams
If you delete test.txt, this other hidden file will disappear with it.
Now you know where to store all those *Ahem* chat logs with your girlfriends.:bleh: :bleh:

 

[Chaos]

LOL. Not that this is a new feature but then thats a novel application for it

 

[KingKrool]

I know it is not new. But how many guys here (save you and ferrari) know about it? I am simply spreading knowlege. It is not as if I created this feature. I am not an MS (research) employee like you, who gets a chance to work on MS stuff :bleh:

 

[tracerbullet]

^^Yep I had no idea about it. Good stuff, KingKrool. What I'm curious about now is whether it's possible to mask other file types using the same principle.

 

[KingKrool]

Do this:

make two jpg files say f1.jpg and f2.jpg

Then give the command: "type f2.jpg > f1.jpg:hidden.jpg"

Then delete f2.jpg (this is just to prove that there are no tricks involved).

Give the commands "mspaint f1.jpg"

and then "mspaint f1.jpg:hidden.jpg"

In fact, this can be done with practically any file.

 

[tracerbullet]

So, to clarify things, is one file embedded into the other, or merely linked through the file system?

Assuming the files are linked, would mailing the file to you transfer the alternate data stream as well? Similarly, just like NTFS's broken encryption, copying the file onto a FAT partition would remove the link between the two files right?

 

[KingKrool]

The two files are two linked in any sense... that is why I said delete the second.

Basically, there is a file, and there is an alternate stream for it.

Yes, copying to FAT removes all alternate streams. And no, mailing the file will not mail alternate stream. BTW, you now know how to hide your rootkits - which is what this feature is often used for.

(I have read that this was originally intended for use with Apple's HFS, but it doesn't seem to have been used for that). There is no way to switch this feature off.