Hiding Files | System Hacking



A hacker may want to hide files on a system to prevent their detection. These files may then be used to launch an attack on the system. There are two ways to hide files in Windows. The first is to use the attrib command. To hide a file with the attrib command, type the following at the command prompt:
attrib +h [file/directory]
The second way to hide a file in Windows is with NTFS alternate data streaming. NTFS file systems used by Windows NT, 2000, and XP have a feature called alternate data streams that allow data to be stored in hidden files linked to a normal, visible file. Streams aren't limited in size; more than one stream can be linked to a normal file.

NTFS File Streaming

NTFS file streaming allows a hidden file to be created within a legitimate file. The hidden file does not appear in a directory listing but the legitimate file does. A user would usually not suspect the legitimate file, but the hidden file can be used to store or transmit information. In Exercise, you'll learn how to hide files using NTFS file streaming.
Exercise : Hiding Files Using NTFS File Streaming

Note 
This exercise will only work on systems using the NTFS file system.

To create and test an NTFS file stream:
  1. At the command line, enter notepad test.txt.
  2. Put some data in the file, save the file, and close Notepad. Step 1 will open Notepad.
  3. At the command line, enter dir test.txt and note the file size.
  4. At the command line, enter notepad test.txt:hidden.txt. Type some text into Notepad, save the file, and close it.
  5. Check the file size again (it should be the same as in step 3).
  6. Open test.txt. You see only the original data.
  7. Enter type test.txt:hidden.txt at the command line. A syntax error message is displayed.

NTFS Stream Countermeasures

To delete a stream file, copy the first file to a FAT partition, and then copy it back to an NTFS partition.
Streams are lost when the file is moved to a FAT partition because they're a feature of NTFS and therefore exist only on an NTFS partition.

No comments:

Post a Comment

Popular Posts