"Super Hidden" Files in Windows (Even Experts Don't Know About)
Vložit
- čas přidán 20. 06. 2024
- I bet almost none of you know about this 🤔
⇒ Become a channel member for special emojis, early videos, and more! Check it out here: czcams.com/users/ThioJoejoin
▼ Time Stamps: ▼
0:00 - Intro
1:13 - Hiding Text
2:58 - Hiding An Entire File
5:01 - Some Additional Points
5:23 - Deleting Alternate Data Streams
6:21 - How to Find Alternate Data Streams
7:59 - AlternateStreamView Tool
9:20 - Real Usage Examples
11:40 - What's the Point?
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬
Merch ⇨ teespring.com/stores/thiojoe
⇨ / thiojoe
⇨ / thiojoe
⇨ / thiojoetv
My Gear & Equipment ⇨ kit.co/ThioJoe
▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬▬ - Věda a technologie
Thanks. Now I know where to hide my "Homework" folder
Boku ..
No.......
...
@@azideiaman pico
no
@@BootlegGremlin hero academia 😀
Can I copy your homework?
I learned about Streams in 1998 in a security training class. They can be used to hide any file, even malicious files. anti virus scanners don't check for files in streams.
I believe antivirus programs do now
Umm hello
@@ThioJoe and even if they didn't, they will after seeing this 😆
You said don’t check files in stream why? So these hidden files should I delete,I just bought the surface go 13 inches. The only thing I can’t find is the service key it’s a long # where do I find it? I thank you your so informative & very intelligent person. You are AWESOME
username checks out
I made my living in IT for over 25 years. Started out with standard desktop break-->fix work and worked my way up to Enterprise WAN management. I've also done some scripting and programming. I would easily fit into the "expert" category (though I never liked calling myself that) and was often referred to as such - if someone was told to call the expert, they'd be calling me. In all those years, I never even heard of alternate data streams in Windows.
Like they say, "you learn something new every day." My hat comes off to you for even finding this feature and then explaining it, well, "expertly." Well done!
I've worked in IT for about ten years and know stuff about Windows that even some of the true graybeards around here didn't know... I also didn't know about this. Windows is such an insanely deep rabbit hole.
I've worked in it for as long as OP and DID know about ADS's. They have some practical uses but mostly exist as optional features unused by most users and software. The fact you can use traditional CLI commands to manipulate them is a little remarkable. I thought that would have been handled mostly through Powershell. This is a fascinating presentation.
Grey beard here, knew all about ADS and played with it, hiding stuff in there, cleaning virus out of that space, etc. More utilized under Apple products, but I was doing Windows.
You'll find ADS in your saved URLs, zone information is saved in there, even to this day. I usually clean up poisoned URLs so they are normal 2 digit size, not 3 digits in size.
I'm sure there's other things I don't know but I've seemed to have forgotten it. 😊
You can also use WSL to create a folder NUL or use parted magic to create folder with forbidden characters or use UNC paths to create folders ending with space alongside a folder not ending with space.
Hmm intradesting 🤔
Me wondering about every word he said be like
Looks like someone learned one or two things from Fly Tech :))
You can also use ALT + 0160 to create a folder without a name; 😈 My brother's best friend (RIP) taught me that back in 2006. 🤩
@@ThioJoe you should do it probably
The term "superhidden" is itself in registry used for "protected system files". The NTFS data streams are not separate files, rather attributes.
Even if they aren't technically "files", practically speaking they are, and the fact they are so hidden is a considerable security threat.
@@fllthdcrb When was the last time you "on practice" accessed a data stream as a file? Yes, never, thank you.
"Security threat" - that's adorable. OS is aware of them, file system is aware of them, antiviruses are aware of them, IT pros are aware of them... the mere fact that YOU aren't, does not make 'em a security threat lol. It's a file system feature which may be used by malware - just like any other OS feature - e.g. you know, malware is usually stored in (drumroll) files! This does not make files a security threat.
@@fllthdcrb next time dont speak your ignorance.
@@fllthdcrb pwnd
@@hackdesigner >When was the last time you "on practice" accessed a data stream as a file?
That is literally how you access data streams.
>Yes, never, thank you.
You know when you access a file? Psyche, you're accessing the file's default data stream.
>"Security threat" - that's adorable.
About half of google search results are security blogs.
As a noobie data-hoarder, the Zone Identifier seems extremely useful.
It's a shame that it's hidden away like that, I really like the idea of files keeping track of their origin.
On the contrary, I was always annoyed by this feature, so at some point I looked for a way to disable it and now I always disable it. I've known about alternative streams for a long time, but I didn't know that the zone identifiers are stored in them
Usually when I hear of "super hidden" files, it has to do with a completely separate concept from Alternative Data Streams (available as far back as Windows NT) which are the desktop ini files. These alter how Explorer shows (or hides) the current folder (and sometimes even its parent folder!) in every Windows version since Win 95. The most notable example is the recycle bin. You can see its true structure inside cmd or winfile (if available) but not within Windows Explorer.
you can see the real structure in explorer when opening via the hidden folder at C:\
@@the_lenny1 Still doesn't show the real data, just the interpreted data from the $R and $I files.
@Evi1 M4chine On older versions of Windows (95 for instance), they'd refuse to display certain folders in explorer no matter which UI options were toggled. You'd have to launch explorer from a command window to get around it (or just use the command window itself or the old File Manager.) Somewhere along the way, they gave more sane options to display these, at the expense of hiding other stuff (including alternative data streams.)
I work in IT and did not even know this. I also always wondered how the OS would know a file came from the internet. I thought it might be some database or registry somewhere but it was odd because when I copy the file to another computer this would stay with the file...now I know. Thank you.
you teach me something pretty much every time i upload. hopefully one day i can keep this knowledge heading downstream and help other people. thank you!
When we first launched NTFS we had a whole section in our 5-day training course, dedicated to streams & how to access them. The vision of the dev team was quite vast. 1. They'd let you extend the NTFS properties, so you could add your own custom tags needed to support an advanced Document management system. each file became the equivalent of a row in a doc database.
2. You could do version control. Keeping the delta between the version as streams. 3. You could do translations. The doc could contain streams for French, Spanish, English etc. & your application opens what it likes.
4. Similar to (1) Audio & Video could be tagged with production attributes commonly used in radio or TV production.
Unsurprisingly it never took off. Most Architects & developers don't get close enough to the API's to really understand how extensible & powerful the Microsoft products really are. So they don't think to use them, or they design some complex system to do the same thing the product does better out-of-the-box. I'm not saying that is their fault. There is only so many hours you can devote to really learning a product.
The irony is this indexing technology is much-needed but not yet user-friendly enough.
Another great thing are Junctions. I used them on a Win2K fileserver to build a nice tree from different partitions and shares. 20yrs later they are still not editable by UI but implemented in CLI commands.
I knew about this when I checked out the alternate streams option in 7zip, in which I found the zone.identifier file, and now you have confirmed those things do exist
My favorite trick that blew my mind was when I learned you could unzip Microsoft office files and see all the hidden plaintext xml files ☺️
Omg, when i was kid i used "open with" on every file for lot of programs...
@@sophiacristina Right?!?! oh gosh, I wasn't that intelligent. I found out how to enable dictation and then plugged in my radio to the aux input and let the poor (according to today's standards) dictation engine type away seemingly random phrases and make me a "story" lol. I did find a Java page and the hidden Media songs but I had no idea what to do with those. Microsoft put so many surprises into these wonderful machines
@@SquirrelTheorist Hey, in fact that looks pretty smart and fun... :p
@Sophia Cristina XD Aw thank you! It was super fun. In a way I would totally do it again if the dictation programs today would type words out if it heard random static and music. That's a great idea, I think I'm going to give it another shot on this computer. Thank you Sophia! :D
only for DOCX and the likes..
Streams came with the NTFS file system.
Nice to know the access is so simple!
Alternate data streams (in theory) could also be used for version control and document history. I'm surprised this isn't in wider use.
Metadata can be attached more easily is my guess; most programers dont want to bother with adding additional files to a files attributes to attach them to said file.
@@Atsumari That and the fact that this is Windows-specific.
More likely is the fact that it hides the data by design, kind of defeats the point of trying to keep track of version history if you obfuscate the data!
@@Fifury161 Well the idea would be that the application that uses ADS to store version info would also have the ability to scan ADS to retrieve it. The obfuscation in this case is actually useful because (if combined with encryption) it can prevent people from tampering with the versions.
@@bwcbiz technically you could use it on an NTFS-based Linux install
Nice one. No irrelevant chatter just real information.
I went into this video thinking I wouldn't learn much as I was already familiar with ADS, but you taught me a lot! Very thorough and informative video! Thanks a lot man!
"Anaheim" in the SmartScreen files? Interesting. The codename for "new Edge" (the Chromium based one) is "Anaheim".
ANAHEIM is also one NSA project. Coincidence?
OS/2 has a nice use for this. It uses REXX as a scripting language (like Windows uses PowerShell), but that is a compiled language. It will be compiled automatically when you start a REXX file, but that could takes several seconds back in the day. To speed this up, the compiled version i saved in a data stream. So starting a REXX program is only slow the very first time you run it.
Suddenly I remembered that I mentally blocked out my experiences with OS2 Warp (and Lotus Notes)
One problem with Windows, and I suspect OS/2 as well is that filesystem features are too closely tied with one particular volume format, namely NTFS in the one case, HPFS in the other. On Linux, you have a VFS layer in the kernel which supports the use of a whole range of filesystems, including compatibility drivers for the old ones from DOS, Windows, and OS/2.
The trouble with the “data stream” concept is that it does too much, and yet too little. It’s like a directory which can only contain files to one level, and with limited names: why not replace it with an _actual_ directory?
@@lawrencedoliveiro9104 That's what OSX does. (On the other hand, you cannot install OSX on FAT32, so that workaround is useless...)
But the issue is something else: You cannot innovate if you want to stay compatible with the oldest technology ever made. At some point you want your operating system to have a filesystem that can do more than FAT8 with 6.3 character ASCII filenames, 8MB file size limit and no directories. And when adding more and more features into your filesystem (last access time? check. last modification time? check. creation time? whatever. owner? go on. group? ... acls?) you will come to the point where it stops making sense to add specific fields for each and every possible data value. And at that point the only logical solution is to have a generic structure, Extended Attributes in OS/2, File Streams in Windows. Both are basically simple key-value lists.
The real interoperability issue here is that there is no way to store those on FAT volumes. So every operating system finds their own way to store them, and every one does it differently. In theory all operating systems could use the corresponding storage system of any filesystem like their own, if they had drivers for those. But they generally don't, so we end up with all that garbage on FAT volumes.
NTFS is showing its age. Windows desperately needs a more modern filesystem. But NTFS is too heavily baked into Windows to be easy to replace.
That's a good use of these, for non-critical information or as a cache, since these alternate data streams generally aren't preserved when sending the file across the Internet.
Great job on a topic relatively few windows users know about. Those who are security focused will know about this, but the tools you present to find data streams are good for general users. Well done.
6:01 as someone who works with USB drives a lot i have seen this several times but never thought about what exactly it meant.
Very clearly presented and useful information. Thank you for sharing!
I used to use a program that made fake "bad sectors" on the disk, and then wrote to those.
Only a few advanced forensics programs can find them, and if encrypted in a certain way, even that can be ofuscated.
Worked on all operating systems.
And the name was ... Any more info on this.
Interesting...
I wouldn't put too much stock in the idea that this is ignored by forensics software though. But it could be a useful way to hide personal info in a way obtuse enough that malicious actors would fail to find it. Basically, don't use it to do illegal things, but it might be useful for stashing say, a crypto wallet's key or keypairs.
@@stevem1097 I think I figured out why there's no software names - every time i put any in, the comment gets nuked.
There's two things you want to do to accomplish this. First, manually and arbitrarily mark bad sectors, then read/write to sectors using low level disk access. If you google both topics you should find a few solutions pretty easy (the ones I can't seem to share with you for some reason)
Be CAREFUL if you mess with this. You're not working at a level where partitions and files exist anymore. You can seriously mess up your system.
@@stevem1097 I would also suggest that you think about process first, software second, in the future - considering how the comment reads, the actual piece of software, if the original commenter even remembers the name, might very well not exist or be deprecated by now. But if you know what you're trying to accomplish and can translate it into process, you can then attack each step of the problem individually
Well shit, this is actually something I was concerned about. I was wondering why there was so little space on my pc when I've barely downloaded anything. Maybe I accidentally downloaded a virus.
There are many other possible causes though, use WinDirStat or WizTree to figure out where all your storage has gone
@@ThioJoe thanks for the advice!
that space is most likely held hostage by windows itself. If you have hibernation enabled, there'll be a hibernation file about the size of your system memory where windows dumps its RAM contents before it goes to sleep. So on a system with 16GB of RAM that's 16+GB of your SSD gone. If you haven't configured your system memory manually then windows will create a swap file that can be anywhere from 1GB to 150% of your machine's ram size. A 5GB swap file is pretty normal with memory management set to auto but it can grow much larger than that. My workstation has 128GB of RAM and for normal usage a swap file isn't necessary at all since memory usage is only 10 or maybe 20% ... but left unchecked windows wont hesitate to create a 40-60 GB swap file ... which is of course of no actual use and only slows my system down while eating away at my SSD. By default windows also reserves a considerable portion of disk space for windows update downloads and update backups/ update roll-backs. I think after my last fresh install it was already about 8GB or so. System restore points also take up a lot of space if you create them regularly / before every software installation - which is a good thing to do, but managing restore points and deleting old ones will free up maaany GB instantly. No need to keep more than the latest two restore points really. It's also always good to check the systems temp folder(s) once in a while ... sometimes install packages aren't deleted on shut down for some reason and then linger for quite a while. WIndows by default will also use it's oh so great prefetch and superfetch functions to pre-load/ cache data of frequently used software to speed up loading times. Obviously useless with Sata and NVMe SSD system drives.
Windows is a pain in flank these days. On a vanilla W10/11 install with all default settings losing 50-100GB of disk capacity to Microsoft's nonsense is normal.
My "homework" folder is still hidden better ...
As in its not even existent
Nice! This is really cool, thx ThioJoe!
Heh, extracting data from Mac files on an NT 4.0 server was exactly how I learned about streams. I hacked together a few utilities & menu items so I can quickly see where downloaded files originally came from. Lots of cool things, and lots of programs like Firefox, Notepad++ etc. can get at the streams if you know they exist. I've had way too much fun messing around with them.
Keep up the good work As a avid Linux user I decided to jump into windows and tackle it and learn as much as I can learn and you’re really a lifesaver for me thank you for the video’s
I was happy I knew about them. Good to see someone making content around these.
When the input file contains a [Ctrl]+"Z" character the TYPE command stops there with displaying text. Typically a remnant of the MS-DOS days. I suggest using the COPY /B variant to add an alternative data stream.
I used to clear out the viral hidden junk after the Ctrl Z symbol in text files.
Then how did you read it?
@@bruhuk_obama Using apps that ignore the Ctrl-Z character
Great call on WizTree. When we used Kaspersky at work several years ago some log file it created used up all the space on my hard drive. WizTree was the first utility I ran that found what had used the space.
We thankfully no longer use Kaspersky, but I bought a personal license for WizTree.
Also the ASV utility seems to be pretty useful too.
This info was shown in a German "Computer Bild" PC magazine around 1995, when I was still in Highschool. I'd never have thought that this "feature" would be carried on until today, as it didn't make any sense back then - and it does not make any sense today (except another target of viruses).
From time to time you teach me something. Great video, thank you!
See, this is why I always end up going back to watch a video even when the title isn't "clickbait-y" enough, and I feel so damn lucky that I have the tolerance to sit through anything, and in the end, it's very rewarding 99% of the time. I wonder if this alternate data stream thingie is related to an executable I used 6 years ago called streams64.exe, which I used to bulk unblock files I had downloaded via browser, because it bothered the hell out of me that every time I double-clicked a downloaded file, it would ask me to hit "Open" again - not to be confused with the User Account Control prompt. As always, thank you, ThioJoe!
I wrote all this before finishing the video. LMAO Man, you just made me realize that I have the memory of an elephant, bro. 😂🤣
cool story bro
I came across these streams some 10-15 years ago when transferring video files from DVR to PC (DRM wasn't a big thing yet back then). The programs on TV often contained colons, and the non-Windows DVR just included them in the filenames. And the shoddy transfer program wouldn't bother converting the filenames to be Windows-compliant. If I forgot to change the filename before transfer, instead of 6-GB file named _some recorded:program.vid_ there would be a 0-byte size file named _some recorded_ . I quickly found instructions how to copy the contents of the file's side stream to the main stream in a new file, but it was annoying because the computer I used for that was an originally very low end laptop that was already old at that point and had a slow HDD, and copying large files to the same drive took for ages (because the HDD multitasked poorly). But often there was no choice, as I had set the transfers to be _moves_ , meaning the file would have been deleted from the device when I'd realize my mistake on the computer.
(As hindsight, that wasn't even bad. Nowadays DRM often outright prevents keeping the recordings.)
Interesting story, thanks.
@Evi1 M4chine Well, it's not exactly trivial.
Amazing!! I'm pretty shocked that I didn't know about this!
Excellent presentation, thank you!
Powershell has stream related commands, which can help in creating, finding and deleting alternate data streams.
This feature seems like an excellent way to add some difficulty to ARGs.
It's an NTFS/ReFS/UDF attribute, so it wouldn't work in most cases as this information isn't converted/preserved when copying the file into a zip archive, website, non Microsoft file system, etc.
If the ARG consists of a program that install stuff on the computer, then sure this could work as the program can modify/add the alternate data stream attributes but if say the ARG had an image that you'd download off the internet, you can't hide additional information in it. You can only store the contents of the file itself and the file name (not even metadata like permissions is possible).
Often a lot of programs like file archivers will retrieve & convert attributes like permissions & access timestamps from the FS to store it in its archive format and then convert & apply it on other systems when a file is extracted, like Windows permissions being read and then stored in the zip archive format which when sent to and extracted on a Linux system, the file archiver will set the extracted file's permissions & access timestamps with the data stored in the archive format during extraction. Alternate data streams are not one of these attributes that most programs preserve as they're pretty specific to Windows systems, unlike more universal things like permissions and access timestamps.
@@ecksdee8072 OK Jesus Christ that is way too complicated for me to understand
@@SusuLakuProductions ok
A platform independent alternative is hiding a zip file insize an image file. Note that this will add to the reported file size and depending on how big the zip file is compared to the expected image size from its quality and all, some people may catch the discrepancy and look into it.
Participated in an event where they did exactly that. I believe the practice is called Steganography.
@@Vixel4076 yeah, steganography basically is "hiding a message within another message or object" though depending on which angle you look at it, if you look from the file angle, it is steganography, but if you look from the image side some may not consider it steganography because if you screenshot or convert it losslessly, the hidden file disappears.
A decent way to hide info is also within docx files, which are basically zip files with some structure, and can be made fairly large if they contain pictures, so a few hundred kb can pass fairly easily.
For larger files, a lot of videogames use a compressed file, sometimes encrypted (but since the game needs to open it, it is possible to get the key), so you can hide a couple gigabytes of files in there.
Nice work. Very informative and well explained. 👍
Great video! Very useful information! Thanks for posting!
When can we expect the PC build video? Excited for it 🤞
This week some time
@@ThioJoe LFGGG
Interesting video.. I wonder if ARGs will make use of Alternate Data Streams in the future.
Though this may have its issues, for example, any non-Windows user would be unable to solve the puzzle. He also mentioned that ADSs would vanish when uploaded to the Internet, so that would force said ARGs to have you run a script or program for the data to appear
@@martinus_mars WinRAR has an option to keep them in when compressing and extracting files. So while it might technically require running a program for it to work, it's at least a program that the vast majority of people are going to have.
Nope, because any Browser overwrites the ADS and you cannot even upload ADS.
You can kinda embed them in rar/7zip, but pointless imo.
@@Sypaka Not necessarily. Say you were using a game as a front for your ARG. Assuming that it isn't being distributed though Steam, you'd probably distribute it as a compressed file. You can then have the alternate data streams hidden within game files, allowing for the ARG to work. I already have plans for doing this exact thing myself (although, before hearing about alternate data streams, I was planning on distributing the information through the spectrograms of the game's ost). So yeah, not entirely pointless.
@@alexbubble6952 Depends on the game engine, but I have yet to see a game which has a filestructure, which allows files WITH their ADS to be stored within.
However, you could make the game in a way to check, if the current folder is writeable, then extract a file from the gamefiles and move it under a gamefile as an ADS. But be aware, you may get flagged as malicious in heuristics.
There is also a shit ton more to do on files itself. I made a file, which opens perfectly as JPG, ZIP, RAR, BAT and HTML all with different contents. Hilarious.
Man, I'm so old school. Um,, since the 80's. Lol. So I still work mainly in C-pmpt. I Like that Joe demonstrates power user techniques. Win OS has many developers hacks and tweaks available to power users. This is a rare comprehensive tutorial. I would like to see more about H-key use.
Kudos bro.!!!
Nice! I always wondered why files I dragged from my Windows file system to my WSL file system carried that “ZoneIdentifier” bit
Sysinternals suite has a tool for alternate data streams too - "streams".
By the way, the eset antivirus used to write calculated checksums of files into the ads of the file, thus touching every file it scanned. Which drove any other antivirus or malware scanner nuts which then reported the whole disk as infected with malware.
I tried opening streams as admin but nothing happened after the confirmation popup. 🤔
@@zmbdog this platform keeps removing my comments, sorry, dude, I'm done here.
@@furzkram That's ok. I can see your previous comment in my notifications still. Thanks
I remember learning this from another youtuber. It was Enderman I think.
FlyTech Videos has a video for this
Yea not surprised, he makes lots of good videos about lesser known windows stuff
Great video, I already know about those "Super Hidden" but bet many don't.
Even tho it's a year old still nice to watch, dunno how I missed this upload a year ago..
By the way, Thio, I'm about to use your YTSpammerPurge tool right now, because I'm starting to get really annoyed by spammy comments, so I figured I'd do some "janitor" work in my free time for some CZcamsrs I admire. Great job, bro! 👏🏻
I actually use these all the time as temporary files when programming. I normally remove them because they contain hashed sensitive data but that’s what I use them for.
I thought I was super clever back in the day making a batch file "pw manager" with this approach. Hell, it would still throw off most people today but certainly not the most secure method on the planet lol.
In the past you could also have different versions if the same picture as different streams. E.g.background pictures in different resolution or icons of different size. OS/2 did this with HPFS. There would be many other possibilities. But it will probably not happen anymore.
Wow that is something new about something old that I learned today. Great job. Thanks a lot man!
That was a REALLY INTERESTING & educational video. Thank you TJ,
Thanks for the exciting news - I truly had no idea. The years when DOS was my playground are long gone and I was so embarassed with missing out for so long about all the might and wonder of the powershell. Btw... although you just ask for a datastream "blah" the system suggests a .txt-file in 05:16. Why is that? Is it always this way when you enter no extension?
Hm I'm not sure, I assume it is something Notepad just did by default for some reason since a filetype wasn't given.
"Anaheim" may be related to Chromium-based Edge (which may be used for services behind the scenes by Windows even when you're using a different browser), and in conjunction with SmartScreen, I would guess that it's another marker to tell the OS that the file was handled by Edge?
Mostly guessing after seeing that "Anaheim" is/was a codename for Edge; take this with a big grain of salt
I came to the same conclusion after doing a bit of googling. Anaheim was indeed the codename for Microsoft Edge, so Anaheim probably marks the file as being downloaded using Microsoft Edge.
Very cool video! Resource forks in classic Macs (eg Mac SE) were awesome!
The place to go when realizing that I know little about the magic box 📦. Thank you for all the great work!
I wonder if this could be related to something I've encountered recently, that is, PHP files infected with malware; when I open them with Nano, I don't see the malicious part of the code, but when I use Vim or Notepad++ via FTP, the malicious code is there. 🤔
Nano is a linux thing, so I suspect you're using linux, which would probably mean you're using ext*, btrfs, xfs or zfs, none of which, to my knowledge, support alternate data streams.
What's imo more likely is that the malware replaced nano, or that for some reason nano has an different inode pointing to the safe file, while the ftp and php servers have one pointing to the malicious one, caching may also be an issue.
The way linux usually works is that it has inodes, which point to files, and if a file is replaced, it is actually copied to a new space, and when a new call to open the file is made the new pointer will be given, but the old file is still there while there's a program using it, and so if the file isn't reopened completely, you may have a discrepancy between the two.
i always read the ntfs as nfts
ThioJoe you done it again you slick son of a gun! I'm a cyber sec major and I must say I've learned a lot of things about windows from you and not school lol currently taking windows workstation class but I've did a different one last semester
this is interesting. wonder if this will work on macOS/*NIX systems
They have "forks" instead of streams on apple file system, so theoretically yea
@unsubtract The classic way Unix/Linux hides files is by starting their names with a dot. But use of this convention must be understood by individual programs. There's no way to tag other files to a main file such that all the files get copied or removed with the main file, unless smart versions of, say, cp, rm, and mv were created.
One can view this as either a lot of trouble or a wonderful boon. But for a file to carry a hidden burden of "life altering" content could arguably be seen as unfriendly. Being of older school, I want it to be explicit.
@@SeekingTheLoveThatGodMeans7648 Yeah, dotfiles aren't attributes of a file system, they're just files like any other. Like you said, them being hidden by default just convention done by the ecosystem and is very very easily toggleable. You can copy dotfiles to a Windows system as normal.
No such feature that is similar to forks/streams are present on Linux file systems like ext4 and Btrfs. There's just the file content itself, and then the metadata like uid/gid, inode, access/modify times, and the chattr ones which are stored/exposed by the file system. That's it.
@@ecksdee8072 you are forgetting user_xattr which does allow some extra metadata to be stored with the file, though size limited on ext[4|3|2].
Great fann ❣️💓
Thanks Theo for the great info👍🏻.
This guy know operating system in deep level.
Thanks for sharing us this kind of useful information.
I’m a next level Windows expert and I don’t even know what this is and I know basically everything in Windows and how it works
You weren’t lying
I knew that ADS exist, but now it became much clearer, thanks! Everytime you copy a file to FAT32 and the system asks if you want to continue to copy a file without it's "properties" you are gently reminded they exist ;)
A New Thing that i learned today from Thio, Thanks !
Hacker mode activated. Thanks Thio!
Already planning to rewrite some of my proof of concept malware. To take advantage of this.
Data streams have been the way the NTFS file system has worked since the second version - mid '90s . Every file has at least one stream - $Data. Most decent AV software has been scanning alternative straems since not long after NT4 hit the streets. This really is nothing new, they aren't hidden file - it's just the way NTFS works.
The alternate data streams would be hidden if they are encrypted. You can take it a step further but that would be telling :)
Super cool to know! Thanks
This was super cool man thank you for sharing
Anaheim is the code project name of Edge Chrome version...
Hmm that could explain it, but i didnt use edge to download them 🤔
@@ThioJoe Maybe is something related to the download of files or a presetup for edge related to the data streams. Remember that Microsoft integrate Ie at os level... maybe is still something of that under the hood. Greetings from Mexico...
6:22 I'd be wary of checking for an alternate data stream merely by file size versus disk space used. What if it's a 1GB file that uses 1.01 GB on disk? There could be a small alternate stream storing some info along with the 1GB of normal file data. Not a problem if your only concern is disk space, but for covert data even 1K might be a problem.
not only that, you could have a 1 byte file, that will show 4kb as size on disk because the partition is formmatted with that sector size, and it won't have any streams, its just how disks work
@@marsovac Yes, that is because NTFS does not allow mpre than one file per sector. Some file systems, e. g. Ext4 and Btrfs, theoretically allow inodes which contain more than one file. However, these files must share the same owner, group, creation and modification time.
@@pi_xiok yes, it depends on the filesystem, but probably there are quirks with those that support more than one file per sector as well. Alignment and padding come to mind to alleviate SMR/CMR differences in reading and writing capabiltiies. My point is that even without streams the method of comparing file size with size on disk is already faulty in concept since it has too many assumptions.
@@marsovac It can even be the other way around. Sparse files (often used for VM images) and compressed files (NTFS allows selective compression) take less space on the disk. NTFS junctions (hardlinks) take only one sector, which is usually 4 KB.
Thank you for the information.. I enjoyed this
As someone working as a software engineer your videos interesting and informative!
Hi
Something that Joe missed is that you can actually enable super hidden files by using registry editor. I forget how but I’ll look into it
I’d be interested in knowing where this registry key is.
I suspect you mean desktop.ini-like hidden files and not alternate data streams
This is such a great video. I am surprised I never knew about this although I admitedly never read the NTFS documentation either lol
Thank you for telling me Wiztree. It baffles me how much faster it loads the interface. It even has dark mode, and a great UI design.
Let's take the moment to appreciate how much effort he puts into his content for us. Great job. ❤
Let's take the moment to spot how fake your 'likes hunting' comment is
@@-COBRA Facts
Earlyish
The NirSoft person is insane. I always thought it was a team of people. Super useful tools!
Edit: and nice video! Didn't know about this at all.
He's a friggin hero
Great video Thio!
Pin me for no reason 😅
Edit: nvm 😢
Edit 2: OMG A HEART THATS CRAZYYYYYY
ThioJoe hearted your comment again Once you edit a comment, the ❤️ will disappear so be careful 🙂
@@_SJ oh phew ty
Use Linux and nothing is hidden from you at all
Cope + WSL
except those processes someone with malicious intent has hidden from the process listings which are also holding open unlinked files, those unlinked files still being written but not appearing is directory listings ...
Love your videos man, if your title say "you probably don't know about" it's for sure I've never heard of it
Trivial but important: add/change/remove an alternate data stream will also change the modification date/time. When programming a script or whatever you should restore the original date/time of the file afterwards.
Those data streams, added for no good reason, are a big security risk. Payload can easily be a virus, trojan, or keylogger.
Well. First you have to actually execute the payload from them. But if your AV can't figure out how to read them or deal with them as they're used it's probably not worth using.
Great video! Thank you!
So good to see you mention wiztree! Love it more than windirstat and treesize
Thanks for all the useful info, find your channel informative and estectically pleasing. Now one thing that has always got the better of me is the contrast and gamma settings, I mean there are so many places one can set it, where does one start. I took a day and focused on finally sorting this but ended up with a headache and still inproper calibration. Ranging from the setting in monitor and GPU and windows, which do i use which do I just leave standard so I can change these from one source, kindly can you cover this
I was expecting to learn more about filesystem data like $MFT and $LOG, but this was cool too.
Fantastic video!
Woah this is cool , I never knew about this feature dayumn
That was used by Internet Explorer back then to store the bookmark url's favorite icon,
also used by Windows Explorer to store summary data that user may describe for a file.
That Nirsoft guy is a super hero. I wish he got more recognition.
Thanks alot for this! This is the only video i understood about ADS! SUBSRIBED!!!!!!
Thanks for your sharing
Thanks a lot, very useful for me
What are you using for your desktop background? Its cool! Great content!!
Thank you Joe! now I can store Þorn videos at my office