When Microsoft designed Windows, instead of using a normal attribute to store information of a file (for example, the date the file was created), it decides to store this information in a hidden place. This hidden place is known as the file streams.
In this tutorial, you will learn about file streams and how you can put them to good use.
Each file in Windows system comes with a default stream where application can use to store information. A file can also have more than one of streams (also known as alternate streams), but they are seldom used by applications.
How To Hide Text Information On a File
It is a good practice for applications to store data in alternate streams rather than the default stream. However, almost every program we use don’t even care about this. They just use the default stream and forget about the possibilities of a file having more than one stream. Creating an alternate stream is as easy as using the command
file:stream in command prompt.
To hide text information on a file, we just have to create an alternate stream and store information into it. In this case, we are going to use a file with the name “program.exe“.
Open a command prompt. To create a new stream, type:
The next window will appear:
Notepad will create an alternate stream with the name “hide.txt” inside program.exe. Once we click yes we can save whatever text we want:
If you copy the “program.exe” file to another location, it will carry this file along. To access the stream, you will need to use its name, in this case ‘hide.txt’ which makes it even harder for someone to read it.
How to Check If A File Is From External Sources
Windows use this feature to control the source of files. It is also a good way to improve your security since you can now find out the source of the file. To check if a file came from another computer or the Internet, right click on the file and select Properties.
In the general tab, you will see information about the file:
How to Manage File Streams
While you can easily create a stream, Windows doesn’t come with any tool to view which files have streams. Nor is it able to list out the streams associated with the files. If we want to see this information, you have to use a simple application call “Streams”. This is a old program created by Mark Russinovich, who is currently a Microsoft staff.
Download Streams by Sysinternals
With this program, you can see if a file contains more than one stream. It also show the name of that stream and the size.
From the image below, you can see that many files has a ‘Zone.Identifier:$DATA‘ stream. This is used by Windows to store information about the source of the file. It will only exist if the file is originated from other computers or Internet.
By default, Windows will block downloaded program from Internet. If you are sure about the safety of the file, you can use Streams to delete this data so Windows doesn’t ask you to unblock the program every time you run it.
Alternative means to view streams
If you are using Windows Vista or 7, you can use the
dir command with
/R switch to view the stream. In the image below, you can see that the streams information appear if we use the
You can see that “file.exe” contains two streams. One is unnamed (the default) and the other is “Zone.Identifier:$DATA”. For a file that doesn’t came from another computer or Internet, this stream doesn’t exist.
Do you know of any other ways to hide confidential data within a file?
Our latest tutorials delivered straight to your inbox