NTFS Recovery


Did you know that you can use Alternate Data Streams for NTFS Recovery and to hide NTFS Files? This data recovery / hiding works with Windows NT and XP, is easy to do, yet most seasoned network technicians are unaware of this ability!

What is an Alternate Data Stream and how does it impact NTFS Recovery? Simply put, it’s the ability to hide data behind a file, such as text, graphics or executable code. This could include games, trojans, graphics and more and is used by hackers around the world. NTFS Recovery can uncover these hidden files.

For example: You could have a small text file (hello.txt of say 1k in size) – however, attached to it is an executable program that is 5 megs in size. When you do a directory listing (look for files on your pc), the system will show you a small 1k text file without revealing the 5 meg file.

NTFS Recovery and Data Streams Key Issues

Malicious users take advantage of this by storing a virus or trojan on your system. Employees can abuse this by hiding graphics or data behind innocent text files, or the popular 0.log file.

  • Streams are only visible to specialized software.
  • Public awareness of NTFS Recovery using streams is very low.
  • Streams can hide themselves behind directories as well as files to avoid standard NTFS Recovery.
  • Disk space used by Streams are not reported by programs such as Windows Explorer or commands such as ‘DIR’
  • Streams can be executed!
  • Executed streams do not have their filenames displayed correctly in Windows Task Manager.

NTFS Recovery – Test it by creating an ADS (text example)

The syntax used to create the Stream is relatively simple and straightforward. To create an ADS associated with the file “hello.txt”, simply separate the default stream name from the ADS name with a colon. [This example is from the command prompt of your C drive]. 
c:\>echo This is a test > hello.txt:hidden

NTFS Recovery of the ADS can then be verified using Notepad.
c:\>notepad hello.txt:hidden

Using the DIR command or programs such as Windows Explorer will prove that the NTFS file is hidden and will not be able to detect the presence of this newly created Alternate Data Stream.

NTFS Recovery – Test it by creating an ADS (executable example)

c:\>type c:\winnt\notepad.exe > hello.txt:np.exe
c:\>type c:\winnt\system32\sol.exe > hello.txt:sol2.exe

Similarly, image files, audio files, or any other stream of data can be hidden in ADSs.

Tags: ,