Stenography using Alternate Data Stream (ADS)

1) Embbeding secret.txt file into test.txt file

• In the command prompt execute the command "notepad.exe test.txt:secret.txt" (without quotas) and press enter. You will see a popup that wants you to confirm of creating new file, press yes.
• You will not be able to see your new file even if you enable showing hiden files option. You will just see test.txt file.
• Execute notepad.exe test.txt:secret.txt to open your secret.txt file and write anything and save.
• You will see that the size of test.txt file will not increase even if you type millions of characters in secret.txt file. (It is really important bug in NTFS file system.)

2) Command below will embed anyfile.exe to calc.exe. And when you execute calc.exe, anyfile.exe will execute in the background and you will not be able to see anyfile.exe process in the Task manager.

type c:\anyfile.exe > c:\winnt\system32\calc.exe:anyfile.exe


3) Command below will embed hacker.exe into a test.txt file.
C:\type c:\hacker.exe > test.txt:hacker.exe

Syntax

Create type textfile > visible.txt:hidden.txt
■ View more < visible.txt:hidden.txt


Freeware programs like lads.exe by Frank Heyne (www.heysoft.de) and crucialADS by CrucialSecurity can be used to manually audit your files for the presence of Alternate Data Streams. Alternatively, the action of moving a file into another file system that doesn’t support ADS will automatically destroy any Alternate Data Streams.


This program lists all alternate data streams of an NTFS directory including the ADS of encrypted files
http://www.heysoft.de/en/software/lads.php?lang=EN

 

Other Programs that can reveal ADS files.

LNS:
http://ntsecurity.nu/toolbox/lns/

GMER
http://www.gmer.net/index.php

Visual ADS Detector
http://www.codeproject.com/KB/shell/csadsdetectorarticle.aspx