::RemembrancE::

Ever heard about ADS or Alternate Data Stream? ADS bukan barang baru.. maybe you already know it, but not me..  I’ve just known this one several weeks ago..  pity for me (>.<’)

ADS is a feature of NTFS (need NTFS formatted harddrive to create ADS), that enable many applications to attach file attributes or properties. By using ADS, we can also hide any file into other file easily without additional software. For example if we want to hide a file named secret.txt into readme.txt (suppose that both files are located on C:\ ), we can simply go to DOS command prompt and type:

type C:\secret.txt > C:\readme.txt:secret.txt

And we can delete secret.txt from C:\.
If we want to read secret.txt, just go to start menu, run.. and type:

notepad C:\readme.txt:secret.txt

You can also create ADS for binary files such as jpg,mp3, or exe.

Now the next question is.. how to detect if there is a hidden data stream inside a file/directory?  Well, it is almost impossible to detect using common way of file browsing. If we create ADS into other file/directory, only the modification time stamp of the file is changed, while the file size remains the same as the original. But it does not mean that ADS is undetectable. By using tools such as CrucialADS, we can find the hidden data stream.

Visit these sites for more information:
http://www.windowsecurity.com/articles/Alternate_Data_Streams.html
http://www.ntfs.com/ntfs-multiple.htm

or go to Uncle Google (^^)