# Hiding files in NTFS streams



## Elvandil (Aug 1, 2003)

It's pretty easy to hide files in the NTFS file system. Every file has alternate "streams" besides the one that is normally visible to the Windows API. Because of this, other files can be placed in a file's alternate stream. A 30 MB video, for example, can be hidden in a 1 kb text file and no one will even know it's there (without special tools).

I've attached all you need to hide files and access them easily. You can even edit files while they are still hidden. Attached are directions, cat.exe (a UNIX utility), and addspy.zip which will find alternate streams among your files.

Malware sometimes uses ADS (alternate data streams) to hide things, too, but since the streams are lost when the file is transferred through FTP or to a FAT32 drive, it is not a reliable way to deliver malware.


----------



## good grief (Aug 26, 2007)

Out of curiousity, would these hidden files show as used space on your hard drive as the 1kb or the 5mb? I realise it doesn't matter if they're that well hidden, but I'm interested to know.


----------



## Elvandil (Aug 1, 2003)

The file size that is shown is that of the original file (1 kb) but when you look at the drive's peoperties, the full amount is included. So the total used on the drive will be larger than the sum of the sizes of all the files (seen) on the drive.


----------



## good grief (Aug 26, 2007)

Ok, thanks for that, I figured it had to show up somewhere,


----------



## Elvandil (Aug 1, 2003)

Yes, we just don't seem to ever get something for nothing in this world.


----------



## Mumbodog (Oct 3, 2007)

To find ADS that you did not make.

http://www.spywareinfo.com/~merijn/programs.php#adsspy

http://www.jsware.net/jsware/sviewer.php3


----------



## Elvandil (Aug 1, 2003)

Adsspy is included in the attachment above. And not all ads are bad--some contain useful metadata.


----------



## maxtor200 (Mar 25, 2008)

Hi, I'm new here, and I just found this thread searching through the forums. It actually describes the reverse of my problem. There are almost 100 gigs of files on an external hard drive - ntfs - that I can't see. I de-fragmented the drive, and when I clicked on "show hidden files" I was able to find 2.6 gigs of files which I promptly removed from the drive.

So it appears that the drive is working. But I would like to get the see the rest of the files and get them off the drive - in case this is all about the drive going south.

My question is - you show how to "hide" files - but how do you un-hide files? And how would they get hidden in the first place - when I have no idea how this might have happened.

Thanks very much!
Milt


----------



## JohnWill (Oct 19, 2002)

Try this: LADS - List Alternate Data Streams


----------



## Elvandil (Aug 1, 2003)

You probably need to start a separate thread on your problem. It is very unlikely that files got hidden in streams unless done so deliberately. As you can see from the procedure involved, it won't happen by accident.

I suspect that either you have a damaged partition, in which case you need to look at partition recovery, or you have files that are inaccessible due to permissions issues. Do you get any "Access Denied" messages? If you do, then you need to take ownership.

How to take ownership of a file or folder in Windows XP

XP Security Tab Home Edition


----------

