Hide sensitive files with Alternate Data Streams

Scott dunn By Scott Dunn

Almost every small business and individual PC user has some sensitive or private files to keep away from prying eyes.

If you’re running a modern version of Windows, you can use a little-known feature called Alternate Data Streams to hide your confidential files inside other files or folders.

What the heck are Alternate Data Streams?

For many years, a feature called Alternate Data Streams (ADS) has been supported by drives formatted as NTFS (Microsoft’s so-called New Technology File System, which is typical of Windows NT, 2000, XP, and later).

Subscribe to our Windows Secrets Newsletter - It's Free!

Get our unique weekly Newsletter with tips and techniques, how to's and critical updates on Windows 7, Windows 8, Windows XP, Firefox, Internet Explorer, Google, etc. Join our 480,000 subscribers!

Windows 8.1: Out of the box

Subscribe and get our monthly bonuses - free!

Get a real feel for Windows 8.1 with a wealth of tips in this step-by-step guide. This month, Windows Secrets subscribers can download the first 2 chapters for free: Using Windows 8.1 and Using Email and the Internet. Get this excerpt and other 5 bonuses if you subscribe now!



Using NTFS, which is an improvement over the older FAT-32 file system, data can be stored in a separate “fork” or “stream” of any file or folder. This makes Windows more compatible with Mac operating system files (which consist of a resource fork and a data fork). The separate stream can also be used to store other things, such as information you can enter on the Summary tab of some files’ Properties dialog boxes.

When data is stored in an NTFS stream, it is essentially invisible to Windows Explorer, text searches, and most of Windows’ other routine file functions. For example, you can store a 5MB .zip file inside the stream of a 1K text file. When you do, Windows Explorer still displays the size of the text file as just 1K!

Because streams are such an effective hiding place, some malware may try to hide in the NTFS stream of an otherwise innocent-looking file. Fortunately for honest Windows users, the “stream” portion of a file is lost during browser and FTP downloads. This means that streams aren’t typically used by malware to distribute itself, but to hide files within streams only after the malware has already infected your system.

Because NTFS streams are hidden from most Windows file functions, it’s a good idea to make sure that your antivirus software is capable of scanning for malware hiding in ADS. Major antivirus products, such as ZoneAlarm and McAfee Antivirus, have this capability.

If you have a legitimate reason to hide files — a parent who doesn’t want children or casual visitors to run across certain information, for example — you can easily copy any file into a stream using simple commands that are built into Windows.

It’s true that you can protect private information by converting it, for example, into a password-protected .zip file. But if this file can be seen by others, and has a name like ProposedMerger.doc, your co-workers could ask you to explain it or decrypt it. Or an intruder could use password-guessing tools to try to open the file, which could expose you to insider-trading charges. If the encrypted file is hidden within a stream, it’s less likely to be seen by casual users in the first place.

Removing or copying your data out of a stream requires special tools. Fortunately, these products are free and, as I explain below, easy to download and use.

How to create a file with a hidden stream

A simple example shows us how to hide an application inside a file stream. You can create a hidden application using a command prompt, in which file streams are always referred to using the format filename:streamfile. Armed with this knowledge, here’s how to add a stream to a file:

Step 1. To get a command prompt, press Windows+R (the Windows key plus the letter R) to open a Run dialog box. Type cmd and press Enter.

Step 2. Enter a command using the following format:

type file1 > file2:file1

where type is the old DOS command, file1 is the file to be hidden in the stream, and file2 is the file that will contain the stream. The redirection symbol (>) writes the contents of one file into another location. You may need to include the full path of the files involved when you enter the actual file names. Press Enter to create the resulting file.

Step 3. Type exit and press Enter to close the command window.

Example: To copy the Windows Calculator program into a text file named eula.txt in a folder named c:doc, use the following command:

type c:WindowsSystem32calc.exe > c:doceula.txt:calc.exe

If you use Windows Explorer to look at the eula.txt file (or the doc folder where the file lives), you won’t see any difference in its size. The only difference is that its date attribute will change to reflect the date when you executed the command. You can, of course, modify the date of a file using any of a variety of downloadable utilities.

You can launch the embedded program (and confirm that a working copy of the Calculator app has, in fact, been embedded into the stream of eula.txt) using Windows’ start command:

start c:doceula.txt:calc.exe

The start command is quirky in this case. You must include the entire path to the file2:file1 combination, even if you’re in the same folder when you run the command.

Unfortunately, Windows Vista apparently doesn’t support this use of the start command to launch apps hidden in streams. You’ll need to use one of the techniques described below, all of which work in all NTFS-compatible versions of Windows.

It’s not necessary for you to name the streamed copy the same as the original file. For example, in the case above, the stream version of Calculator could have been named eula.txt:xyz.exe and the app would work just as well.

Files aren’t the only resources that have streams. You can embed a file inside a folder. The following example embeds a picture file in a folder stream. In this case, the syntax is foldername:file1.

In the following command, note that the quotation marks around the paths that contain spaces are required:

type “c:My Picturesblue hills.jpg” > “c:doc:blue hills.jpg”

To confirm that the picture is there, I can launch it using Windows’ MS-Paint accessory:

mspaint “c:doc:blue hills.jpg”

As another example, if you embed a text file into a stream, you can open it with Notepad. If you stored a plain-text list of passwords in a stream, you could open it using a command like this:

notepad “c:doc:passwords.txt”

Unfortunately, not every application can read streams the way Paint and Notepad can. For instance, it’s easy to store a .zip file in a stream, but I haven’t found any application that can open it directly from the NTFS stream.

You can use this fact to improve the effectiveness of your hidden files. If your information is sensitive, put it into a .zip file and password-protect the file before copying it to a stream. Delete the original file, using a “wipe” program to destroy all traces of the original. (I discussed “shredder” utilities in my Oct. 18 story.)

Finally, use one of the tools described below to extract the hidden file the next time you wish to unzip it.

The hidden nature of the stream makes it hard to find and, if you use a long, strong password, your data will be safe even from a skilled attacker.

How to manage files hidden in data streams

You can easily copy, update, and delete files that you’ve stored in data streams. The trick is that, in some cases, you may need special software to do the job.

Retrieving a file from a stream

If you need to retrieve data from a stream, and you don’t have an application that can read the embedded file type (such as .zip), the free command-line tool called Cat is very useful. You can download it from the DarkSquall Web site.

Cat is only 92KB and requires no installation or decompressing. Just put it in a folder of your choice and run it from a command prompt. To copy data out of a stream, for example, use the following syntax:

cat filename:streamfile > streamfile

Naturally, you may need to supply the paths for each file.

Example: To extract a file named diary.zip that has been embedded in the status.doc file, your command line might look like this:

cat “c:docstatus.doc:diary.zip” > “c:my stuffdiary.zip”

Note that this only copies the file. It doesn’t remove the stream. The original diary.zip file is still embedded in status.doc.

Updating a file in a stream

To update a file, first make your changes in a normal copy of the file. Second, use the type command, as explained above, to insert the updated copy into your hiding place.

The updated file will overwrite any existing one that has the same name in the stream, and you’ll see no warning of that fact.

Locating and deleting files in streams

If you have Windows Vista, the dir command has a new switch (/r) that shows which files in a folder have stream data. At a command prompt, just type dir /r and press Enter.

However it’s much faster to use a utility like ADS Spy from the SpywareInfo Web site. This utility works in Vista and also in XP.

Like Cat, ADS Spy requires no installation; just copy its executable file from the downloadable .zip file and put it in any folder.

ADS Spy has an option to ignore common, legitimate uses of streams, such as the “Zone Identifier” found in files downloaded using Internet Explorer. This means you can look only for files whose data streams contain suspicious or unexpected content.

ADS Spy can also delete the streams of any files you select in its search results.

Beware of accidentally deleting streams

Using the type command with a redirection symbol, without specifying any stream, deletes any data that may have been in the stream. For example, the following command creates a copy without any streams:

type original.doc > backupcopy.doc

If you then use a “wipe” utility on the original copy of the file, any data that may have been in the stream will be permanently destroyed.

Many common ways of handling a file that includes a stream will also delete the stream from the resulting copy. For instance, no stream data will survive when you copy a file to a FAT-32 drive (which includes most flash drives) or you e-mail a file as an attachment.

Other tips for hiding files with ADS

Here are some other things to keep in mind when using the ADS feature to hide sensitive materials:

• When hiding data inside a file or folder, be sure the file or folder you’re hiding things in is not likely to be deleted by anyone using your computer.

• You can add more than one file to a single file’s stream. Just use the type command for each item you add.

• Remember that the type command copies (rather than moves) data into a stream. If you’re hiding a file in a stream, remember to wipe the original once the copy is in its hiding place.

• Don’t use this hiding technique on the only copy of any file you can’t afford to lose. It’s best to use this trick to protect copies of files that might easily be lost or stolen, such as on laptops. Test the procedure and make sure you’re comfortable with it before you take any risks with important files.

• If a file or folder contains a stream with material you’re hiding, don’t e-mail it or move it to a non-NTFS disk. Doing so will destroy the stream. Many backup programs will fail to preserve the stream in the backup copies, as well.

• As an added precaution, keep the ADS tools mentioned here (Cat and ADS Spy) on a separate disk or flash drive so anyone snooping on your machine doesn’t use them against you. These applications are small and will easily fit on removable media.

Privacy is a big concern for many users. Snoopers can’t pry if they never see your private files and can’t decrypt the information if they do. ADS provides one more technique for preserving data for your eyes only.

Reader Rand New will receive a gift certificate for a book, CD, or DVD of his choice for suggesting this topic. Have a tip about Windows? Send us your comments via the Windows Secrets contact page.

Scott Dunn is associate editor of the Windows Secrets Newsletter. He has been a contributing editor of PC World since 1992 and currently writes for the magazine’s Here’s How section.
= Paid content

All Windows Secrets articles posted on 2007-12-06: