This thing is a basic feature provided by the NTFS file system. It also provides the feature of encrypting a file with your own “encryption” method but I’ll come back later to it. Now lets just focus on the “hiding a file”.
NTFS supports multiple data streams. Actually you must have seen the .mkv movie file, its most astonishing feature is that it can contain various types of data in one file like the multiple audios, multiple subtitle files, and yes the movie :P. So,basically in NTFS one file contain multiple data streams independent of each other. In a layman language, NTFS can have a file containing other files totally independent of each other. for e.g., a simple .pdf can contain files like .txt, .avi, .zip, etc..
This feature can be exploited to hide files on the NTFS partition. For hiding, all we need to do is to create a data stream in the container file ( say important.txt) and copy the contents of the same hiding file (say porn.avi ) in that data stream. and one more thing, you can hide as many files as you want in one single file.
So here’s the step by step process :
1. install some virtual linux environment. That can be anyone of them – cygwin or UnixUtils. This is just to use to use the “cat” command.
2. Now open the command prompt and write,
cat porn.avi > important.txt:stream_name
this stream_name can be any secret name you prefer. e.g.,
cat porn.avi > important.txt:porn.avi
3. the file is now saved in data stream “important.txt:porn.avi“. The file porn.avi now can be safely deleted without losing any data.
4. Now to extract back the file you just have to write the command,
cat important.txt:porn.avi > porn.avi
this will give you the file back you wanted. 😉
This method is excellent as the data stream cannot be easily detected as it does not even increases the size of the container file. But it has some limitations :
1. This works only in NTFS file system.
2. If the file is transferred to any other file system (FAT32, EXT2, etc.) all the data streams are lost.
3. A data stream cannot be directly accesses through a software. So it has to first extracted to be of use. This feature is not so annoying as this is something we are already been used to by the compressing softwares.
4. various meta-data related to a file are deleted in the data stream.
5. data stream once created cannot be deleted. One way is to make a copy of the file and delete the previous one. e.g.,
cat important.txt > copy_important.txt
6. data recovery tools do not handle data streams. so if a file system gets corrupted. there is no way to get back the file.
7. you have to remember the exact name of the stream to everytime extract the file.