How to create a file with a hidden stream
A simple example shows us how to hide an application inside a file stream. You can create a hidden application using a command prompt, in which file streams are always referred to using the format filename:streamfile. Armed with this knowledge, here’s how to add a stream to a file:
Step 1. To get a command prompt, press Windows+R (the Windows key plus the letter R) to open a Run dialog box. Type cmd and press Enter.
Step 2. Enter a command using the following format:
type file1 > file2:file1
where type is the old DOS command, file1 is the file to be hidden in the stream, and file2 is the file that will contain the stream. The redirection symbol (>) writes the contents of one file into another location. You may need to include the full path of the files involved when you enter the actual file names. Press Enter to create the resulting file.
Step 3. Type exit and press Enter to close the command window.
Example: To copy the Windows Calculator program into a text file named eula.txt in a folder named c:doc, use the following command:
type c:WindowsSystem32calc.exe > c:doceula.txt:calc.exe
If you use Windows Explorer to look at the eula.txt file (or the doc folder where the file lives), you won’t see any difference in its size. The only difference is that its date attribute will change to reflect the date when you executed the command. You can, of course, modify the date of a file using any of a variety of downloadable utilities.
You can launch the embedded program (and confirm that a working copy of the Calculator app has, in fact, been embedded into the stream of eula.txt) using Windows’ start command:
start c:doceula.txt:calc.exe
The start command is quirky in this case. You must include the entire path to the file2:file1 combination, even if you’re in the same folder when you run the command.
Unfortunately, Windows Vista apparently doesn’t support this use of the start command to launch apps hidden in streams. You’ll need to use one of the techniques described below, all of which work in all NTFS-compatible versions of Windows.
It’s not necessary for you to name the streamed copy the same as the original file. For example, in the case above, the stream version of Calculator could have been named eula.txt:xyz.exe and the app would work just as well.
Files aren’t the only resources that have streams. You can embed a file inside a folder. The following example embeds a picture file in a folder stream. In this case, the syntax is foldername:file1.
In the following command, note that the quotation marks around the paths that contain spaces are required:
type “c:My Picturesblue hills.jpg” > “c:doc:blue hills.jpg”
To confirm that the picture is there, I can launch it using Windows’ MS-Paint accessory:
mspaint “c:doc:blue hills.jpg”
As another example, if you embed a text file into a stream, you can open it with Notepad. If you stored a plain-text list of passwords in a stream, you could open it using a command like this:
notepad “c:doc:passwords.txt”
Unfortunately, not every application can read streams the way Paint and Notepad can. For instance, it’s easy to store a.zip file in a stream, but I haven’t found any application that can open it directly from the NTFS stream.
You can use this fact to improve the effectiveness of your hidden files. If your information is sensitive, put it into a .zipfile and password-protect the file before copying it to a stream. Delete the original file, using a “wipe” program to destroy all traces of the original.
Finally, use one of the tools described below to extract the hidden file the next time you wish to unzip it.
The hidden nature of the stream makes it hard to find and, if you use a long, strong password, your data will be safe even from a skilled attacker.
How to manage files hidden in data streams
You can easily copy, update, and delete files that you’ve stored in data streams. The trick is that, in some cases, you may need special software to do the job.
Retrieving a file from a stream
If you need to retrieve data from a stream, and you don’t have an application that can read the embedded file type (such as .zip), the free command-line tool called Cat is very useful. You can download it from the DarkSquall Web site.
Cat is only 92KB and requires no installation or decompressing. Just put it in a folder of your choice and run it from a command prompt. To copy data out of a stream, for example, use the following syntax:
cat filename:streamfile > streamfile
Naturally, you may need to supply the paths for each file.
Example: To extract a file named diary.zip that has been embedded in the status.doc file, your command line might look like this:
cat “c:docstatus.doc:diary.zip” > “c:my stuffdiary.zip”
Note that this only copies the file. It doesn’t remove the stream. The original diary.zip file is still embedded instatus.doc.
Updating a file in a stream
To update a file, first make your changes in a normal copy of the file. Second, use the type command, as explained above, to insert the updated copy into your hiding place.
The updated file will overwrite any existing one that has the same name in the stream, and you’ll see no warning of that fact.
Locating and deleting files in streams
If you have Windows Vista, the dir command has a new switch (/r) that shows which files in a folder have stream data. At a command prompt, just type dir /r and press Enter.
However it’s much faster to use a utility like ADS Spy from the SpywareInfo Web site. This utility works in Vista and also in XP.
Like Cat, ADS Spy requires no installation; just copy its executable file from the downloadable .zip file and put it in any folder.
ADS Spy has an option to ignore common, legitimate uses of streams, such as the “Zone Identifier” found in files downloaded using Internet Explorer. This means you can look only for files whose data streams contain suspicious or unexpected content.
ADS Spy can also delete the streams of any files you select in its search results.
Beware of accidentally deleting streams
Using the type command with a redirection symbol, without specifying any stream, deletes any data that may have been in the stream. For example, the following command creates a copy without any streams:
type original.doc > backupcopy.doc
If you then use a “wipe” utility on the original copy of the file, any data that may have been in the stream will be permanently destroyed.
Many common ways of handling a file that includes a stream will also delete the stream from the resulting copy. For instance, no stream data will survive when you copy a file to a FAT-32 drive (which includes most flash drives) or you e-mail a file as an attachment.
A simple example shows us how to hide an application inside a file stream. You can create a hidden application using a command prompt, in which file streams are always referred to using the format filename:streamfile. Armed with this knowledge, here’s how to add a stream to a file:
Step 1. To get a command prompt, press Windows+R (the Windows key plus the letter R) to open a Run dialog box. Type cmd and press Enter.
Step 2. Enter a command using the following format:
type file1 > file2:file1
where type is the old DOS command, file1 is the file to be hidden in the stream, and file2 is the file that will contain the stream. The redirection symbol (>) writes the contents of one file into another location. You may need to include the full path of the files involved when you enter the actual file names. Press Enter to create the resulting file.
Step 3. Type exit and press Enter to close the command window.
Example: To copy the Windows Calculator program into a text file named eula.txt in a folder named c:doc, use the following command:
type c:WindowsSystem32calc.exe > c:doceula.txt:calc.exe
If you use Windows Explorer to look at the eula.txt file (or the doc folder where the file lives), you won’t see any difference in its size. The only difference is that its date attribute will change to reflect the date when you executed the command. You can, of course, modify the date of a file using any of a variety of downloadable utilities.
You can launch the embedded program (and confirm that a working copy of the Calculator app has, in fact, been embedded into the stream of eula.txt) using Windows’ start command:
start c:doceula.txt:calc.exe
The start command is quirky in this case. You must include the entire path to the file2:file1 combination, even if you’re in the same folder when you run the command.
Unfortunately, Windows Vista apparently doesn’t support this use of the start command to launch apps hidden in streams. You’ll need to use one of the techniques described below, all of which work in all NTFS-compatible versions of Windows.
It’s not necessary for you to name the streamed copy the same as the original file. For example, in the case above, the stream version of Calculator could have been named eula.txt:xyz.exe and the app would work just as well.
Files aren’t the only resources that have streams. You can embed a file inside a folder. The following example embeds a picture file in a folder stream. In this case, the syntax is foldername:file1.
In the following command, note that the quotation marks around the paths that contain spaces are required:
type “c:My Picturesblue hills.jpg” > “c:doc:blue hills.jpg”
To confirm that the picture is there, I can launch it using Windows’ MS-Paint accessory:
mspaint “c:doc:blue hills.jpg”
As another example, if you embed a text file into a stream, you can open it with Notepad. If you stored a plain-text list of passwords in a stream, you could open it using a command like this:
notepad “c:doc:passwords.txt”
Unfortunately, not every application can read streams the way Paint and Notepad can. For instance, it’s easy to store a.zip file in a stream, but I haven’t found any application that can open it directly from the NTFS stream.
You can use this fact to improve the effectiveness of your hidden files. If your information is sensitive, put it into a .zipfile and password-protect the file before copying it to a stream. Delete the original file, using a “wipe” program to destroy all traces of the original.
Finally, use one of the tools described below to extract the hidden file the next time you wish to unzip it.
The hidden nature of the stream makes it hard to find and, if you use a long, strong password, your data will be safe even from a skilled attacker.
How to manage files hidden in data streams
You can easily copy, update, and delete files that you’ve stored in data streams. The trick is that, in some cases, you may need special software to do the job.
Retrieving a file from a stream
If you need to retrieve data from a stream, and you don’t have an application that can read the embedded file type (such as .zip), the free command-line tool called Cat is very useful. You can download it from the DarkSquall Web site.
Cat is only 92KB and requires no installation or decompressing. Just put it in a folder of your choice and run it from a command prompt. To copy data out of a stream, for example, use the following syntax:
cat filename:streamfile > streamfile
Naturally, you may need to supply the paths for each file.
Example: To extract a file named diary.zip that has been embedded in the status.doc file, your command line might look like this:
cat “c:docstatus.doc:diary.zip” > “c:my stuffdiary.zip”
Note that this only copies the file. It doesn’t remove the stream. The original diary.zip file is still embedded instatus.doc.
Updating a file in a stream
To update a file, first make your changes in a normal copy of the file. Second, use the type command, as explained above, to insert the updated copy into your hiding place.
The updated file will overwrite any existing one that has the same name in the stream, and you’ll see no warning of that fact.
Locating and deleting files in streams
If you have Windows Vista, the dir command has a new switch (/r) that shows which files in a folder have stream data. At a command prompt, just type dir /r and press Enter.
However it’s much faster to use a utility like ADS Spy from the SpywareInfo Web site. This utility works in Vista and also in XP.
Like Cat, ADS Spy requires no installation; just copy its executable file from the downloadable .zip file and put it in any folder.
ADS Spy has an option to ignore common, legitimate uses of streams, such as the “Zone Identifier” found in files downloaded using Internet Explorer. This means you can look only for files whose data streams contain suspicious or unexpected content.
ADS Spy can also delete the streams of any files you select in its search results.
Beware of accidentally deleting streams
Using the type command with a redirection symbol, without specifying any stream, deletes any data that may have been in the stream. For example, the following command creates a copy without any streams:
type original.doc > backupcopy.doc
If you then use a “wipe” utility on the original copy of the file, any data that may have been in the stream will be permanently destroyed.
Many common ways of handling a file that includes a stream will also delete the stream from the resulting copy. For instance, no stream data will survive when you copy a file to a FAT-32 drive (which includes most flash drives) or you e-mail a file as an attachment.
NOW A DAYS MANY FORENSIC TOOLS ARE ABLE TO FIND ADS LIKE FTK , ENCASE ETC.
0 comments:
Post a Comment