digip Posted December 31, 2007 Share Posted December 31, 2007 Based on the "Hak.5 Forums | Talk: | Questions | Make a invisible folder" thread, I was wondering about NTFS Alternate Data Streams. If you didn't know, there is a way to hide files using notepad in an alternate data stream, but what I really wanted to know is how to detect them. Open notepad and put some text in it. Say, "Test 1 2 3". Save it somewhere, like "c:test.txt" Now from a Start/Run prompt, type "notepad c:test.txt:hidden.txt" It will ask you to create a new file because it does not exist. Type soemthing in like "Hello world" and just click save. Notice anything? It doesn't ask you where to save the file. And it also doesn't show up anywhere in the folder you saved it to. Move the test.txt file to the desktop. Now, moving the file also moves the hidden file. To see what your hidden file was, go back to the start/run prompt and type in the name of the file with the full path. EX: "c:documents and settingsownerdesktoptest.txt:hidden.txt" and it should open the file. Delete test.txt and the hidden file is deleted as well. The file size of test.txt never changes(so long as you do not edit the test.txt file itself, its file size stays the same and does nto reflect whatever is in hidden.txt) so no matter how large hidden.txt is test.txt stays the same size. Note, moving the test.txt to a file system other than NTFS removed the file and when copied back to an NTFS system, the file will be gone. So you can't put it on a webpage or system that isn't windows NTFS based. How do you detect these files with alternate data streams and will a virus scanner be able to detect them if say a virus attached itself to a text file in this manner? (Of course, it would probably need some secondary file to execute from the txt file thus probably exposing its whereabouts in the process). Quote Link to comment Share on other sites More sharing options...
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.