Recover Hidden NTFS Files
       Data Recovery -> Common Problems, Registry Tips & Tweaks
Author Message
ntexpert



Joined: 14 Aug 2006
Posts: 5
Data RecoveryMon Aug 14, 2006 6:40 pm    Subject : Recover Hidden NTFS Files
Did you know that you can use Alternate Data Streams for NTFS Recovery and to hide NTFS Files? This data recovery/hiding works with Windows NT and XP, is easy to do, yet most seasoned network technicians are unaware of this ability.

What is an Alternate Data Stream and how does it impact NTFS Recovery? Simply put, it's the ability to hide data behind a file, such as text, graphics or executable code. This could include games, trojans, graphics and more and is used by hackers around the world. NTFS Recovery can uncover these hidden files.

For example: You could have a small text file (hello.txt of say 1k in size) - however, attached to it is an executable program that is 5 megs in size. When you do a directory listing (look for files on your pc), the system will show you a small 1k text file without revealing the 5 meg file.

Malicious users take advantage of this by storing a virus or trojan on your system. Employees can abuse this by hiding graphics or data behind innocent text files, or the popular 0.log file.

NTFS Recovery and Data Streams Key Issues

Streams are only visible to specialized software.
Public awareness of NTFS Recovery using streams is very low.
Streams can hide themselves behind directories as well as files to avoid standard NTFS Recovery.
Disk space used by Streams are not reported by programs such as Windows Explorer or commands such as 'DIR'
Streams can be executed!
Executed streams do not have their filenames displayed correctly in Windows Task Manager.
NTFS Recovery - Test it by creating an ADS (text example)
The syntax used to create the Stream is relatively simple and straightforward. To create an ADS associated with the file "hello.txt", simply separate the default stream name from the ADS name with a colon. [This example is from the command prompt of your C drive].
c:\>echo This is a test > hello.txt:hidden

NTFS Recovery of the ADS can then be verified using Notepad.
c:\>notepad hello.txt:hidden


Using the DIR command or programs such as Windows Explorer will prove that the NTFS file is hidden and will not be able to detect the presence of this newly created Alternate Data Stream.

NTFS Recovery - Test it by creating an ADS (executable example)
c:\>type c:\winnt\notepad.exe > hello.txt:np.exe

c:\>type c:\winnt\system32\sol.exe > hello.txt:sol2.exe


Similarly, image files, audio files, or any other stream of data can be hidden in ADSs.
Back to top
View user's profile Send private message
Display posts from previous:   
       Data Recovery -> Common Problems, Registry Tips & Tweaks All times are GMT
Page 1 of 1

 
Jump to:  
 Website Links : 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10
Sitemap : HTML | XML


Sql Recovery nsf to pst - ost to pst converter Data Recovery 2008 Information Disk Recovery & Data Recovery Software Solutions Data Recovery Software