Alternate Data Streams (ADS)

The NTFS file system allows data to be saved in alternate data streams or ADS. With such data streams, data can be hidden in a file so that it is not visible to Windows Explorer. However, there are programs that can display and delete such data streams.

Normally, data is written to the unnamed data stream of a file. All you need to do is enter the name of the file, such as "readme.txt". This file can then be opened and displayed with any text editor. If you want to access a specific data stream of a file, the name of this data stream must be known - without using special programs. The name of the data stream is separated from the file name by a colon. For example, if the file name is "readme.txt" and the data is to be written to the stream with the name "secret", the file name is "readme.txt:secret".

Creating an alternate data stream is very simple. In the console, an output redirection is sufficient to create your own invisible data stream. If you want to attach a stream with the name "secret" to the "readme.txt" file, it is sufficient to redirect the output of the ECHO command.

echo This is a secret message > readme.txt:secret

Here, the text "This is a secret message" was output with the ECHO command. The greater-than sign means that this text is not printed on the screen, but is written to the "readme.txt" file as a data stream with the name "secret".

However, only short texts can be written to a data stream in this way. This can be remedied by using the TYPE command to output entire files.

type secret.txt > readme.txt:secret

This command outputs the content of the "secret.txt" file to the "secret" stream of the "readme.txt" file. But be careful: The TYPE command cannot work with data streams. TYPE only outputs the content of the text file, the command processor ("cmd.exe") writes this data to the stream. If the information is to be output in a data stream, the MORE command must be used, which, unlike TYPE, can handle streams. To output the streams again, use the command

more < readme.txt:secret

As the stream "secret" contains the content of another file, a redirection could ensure that the secret data is written to a new file. This is done, for example, with the command

more < readme.txt:secret > secret.txt

The MORE command does not work with binary files. Therefore, a different program must be used to extract such a data stream. The program "CAT" from the program package "UnxUtils".

This means that the commands for writing binary data streams are as follows:

type secret.zip > readme.txt:secret

or

cat secret.zip > readme.txt:secret

And for reading:

cat readme.txt:secret > secret.zip