Use Alternate Datastreams to Hide Important Files (Windows, NTFS)

There is a feature in NTFS data system that lets you easily hide your files from nosy people using your computer which is called Alternate Data Streams. What they basically do is to hide files behind others, using them as a "container", but they only are executable if you enter a specific syntax in your command line. I will show you in a few examples.
I have the text document mysecrets.txt which I want to hide inside the legal.txt document. They are both placed directly on my C:\ drive to simplify things. To achieve that, I open a command line and type in:

type C:\mysecrets.txt >C:\legal.txt:mysecrets.txt

With the type command, you can stuff any file into an alternate data stream. Next you give the file to hide, followed by a greater-than sign, followed by the the path where you want to hide the file - here, give the file you want to stuff things in, a colon, and the hidden file's name (this can basically be any, you call the hidden file by this given name then). The colon is the trademark of an alternate data stream, every file separated from another file with a colon will become the first file's alternate data stream.

Text files are not the only files you can hide away with alternate data streams, basically you can do it with any file, even executables. However you cannot open every file from an alternate data stream - starting executables for example has been disabled for security's sake because, as you might have noticed, AltDS can be used to build pretty evil malware. To open a hidden file, you just pick the program to do so and open it the usual way through the command line, for example like this:

notepad C:\legal.txt:mysecrets.txt

You can also do this for videos, music, whatever, just pick the appropriate application. For executables however, this is no longer possible. However there are some slightly more complicated workarounds to do this. You can either have a symlink of the hidden file made, which is then executable and deletable afterwards, or write commands into the hidden file which can be executed by the shell, creating another executable or whatever you want to do with it.
Be aware however that alternate data streams will be lost after moving their containers to another server! It is not possible to mail multi-streamed files, even if the receiving file system is NTFS formatted.
To uncover alternate data streams on Windows Vista or later, direct your command line tool to the folder you want to check and enter

dir /r C:\path\to\your\folder

You cannot hide whole folders in alternate data streams, except if they are compressed.
The easiest way to delete alternate data streams is to copy the whole file onto another data system via explorer, ftp or mail. However there is also software to detect and deal with them.

Leave a Comment