Boku .. No....... ...

@@azideiaman pico

no

@@BootlegGremlin hero academia 😀

Can I copy your homework?

I believe antivirus programs do now

Umm hello

@@ThioJoe and even if they didn't, they will after seeing this 😆

You said don’t check files in stream why? So these hidden files should I delete,I just bought the surface go 13 inches. The only thing I can’t find is the service key it’s a long # where do I find it? I thank you your so informative & very intelligent person. You are AWESOME

username checks out

I've worked in IT for about ten years and know stuff about Windows that even some of the true graybeards around here didn't know... I also didn't know about this. Windows is such an insanely deep rabbit hole.

I've worked in it for as long as OP and DID know about ADS's. They have some practical uses but mostly exist as optional features unused by most users and software. The fact you can use traditional CLI commands to manipulate them is a little remarkable. I thought that would have been handled mostly through Powershell. This is a fascinating presentation.

Grey beard here, knew all about ADS and played with it, hiding stuff in there, cleaning virus out of that space, etc. More utilized under Apple products, but I was doing Windows. You'll find ADS in your saved URLs, zone information is saved in there, even to this day. I usually clean up poisoned URLs so they are normal 2 digit size, not 3 digits in size. I'm sure there's other things I don't know but I've seemed to have forgotten it. 😊

Hmm intradesting 🤔

Me wondering about every word he said be like

Looks like someone learned one or two things from Fly Tech :))

You can also use ALT + 0160 to create a folder without a name; 😈 My brother's best friend (RIP) taught me that back in 2006. 🤩

@@ThioJoe you should do it probably

Even if they aren't technically "files", practically speaking they are, and the fact they are so hidden is a considerable security threat.

@@fllthdcrb When was the last time you "on practice" accessed a data stream as a file? Yes, never, thank you. "Security threat" - that's adorable. OS is aware of them, file system is aware of them, antiviruses are aware of them, IT pros are aware of them... the mere fact that YOU aren't, does not make 'em a security threat lol. It's a file system feature which may be used by malware - just like any other OS feature - e.g. you know, malware is usually stored in (drumroll) files! This does not make files a security threat.

@@fllthdcrb next time dont speak your ignorance.

@@fllthdcrb pwnd

​@@hackdesigner >When was the last time you "on practice" accessed a data stream as a file? That is literally how you access data streams. >Yes, never, thank you. You know when you access a file? Psyche, you're accessing the file's default data stream. >"Security threat" - that's adorable. About half of google search results are security blogs.

you can see the real structure in explorer when opening via the hidden folder at C:\

@@the_lenny1 Still doesn't show the real data, just the interpreted data from the $R and $I files.

@Evi1 M4chine On older versions of Windows (95 for instance), they'd refuse to display certain folders in explorer no matter which UI options were toggled. You'd have to launch explorer from a command window to get around it (or just use the command window itself or the old File Manager.) Somewhere along the way, they gave more sane options to display these, at the expense of hiding other stuff (including alternative data streams.)

On the contrary, I was always annoyed by this feature, so at some point I looked for a way to disable it and now I always disable it. I've known about alternative streams for a long time, but I didn't know that the zone identifiers are stored in them

The irony is this indexing technology is much-needed but not yet user-friendly enough.

Another great thing are Junctions. I used them on a Win2K fileserver to build a nice tree from different partitions and shares. 20yrs later they are still not editable by UI but implemented in CLI commands.

Metadata can be attached more easily is my guess; most programers dont want to bother with adding additional files to a files attributes to attach them to said file.

@@Atsumari That and the fact that this is Windows-specific.

More likely is the fact that it hides the data by design, kind of defeats the point of trying to keep track of version history if you obfuscate the data!

@@Fifury161 Well the idea would be that the application that uses ADS to store version info would also have the ability to scan ADS to retrieve it. The obfuscation in this case is actually useful because (if combined with encryption) it can prevent people from tampering with the versions.

@@bwcbiz technically you could use it on an NTFS-based Linux install

Omg, when i was kid i used "open with" on every file for lot of programs...

@@sophiacristina Right?!?! oh gosh, I wasn't that intelligent. I found out how to enable dictation and then plugged in my radio to the aux input and let the poor (according to today's standards) dictation engine type away seemingly random phrases and make me a "story" lol. I did find a Java page and the hidden Media songs but I had no idea what to do with those. Microsoft put so many surprises into these wonderful machines

​@@SquirrelTheorist Hey, in fact that looks pretty smart and fun... :p

​ @Sophia Cristina XD Aw thank you! It was super fun. In a way I would totally do it again if the dictation programs today would type words out if it heard random static and music. That's a great idea, I think I'm going to give it another shot on this computer. Thank you Sophia! :D

only for DOCX and the likes..

Suddenly I remembered that I mentally blocked out my experiences with OS2 Warp (and Lotus Notes)

One problem with Windows, and I suspect OS/2 as well is that filesystem features are too closely tied with one particular volume format, namely NTFS in the one case, HPFS in the other. On Linux, you have a VFS layer in the kernel which supports the use of a whole range of filesystems, including compatibility drivers for the old ones from DOS, Windows, and OS/2. The trouble with the “data stream” concept is that it does too much, and yet too little. It’s like a directory which can only contain files to one level, and with limited names: why not replace it with an _actual_ directory?

​@@lawrencedoliveiro9104 That's what OSX does. (On the other hand, you cannot install OSX on FAT32, so that workaround is useless...) But the issue is something else: You cannot innovate if you want to stay compatible with the oldest technology ever made. At some point you want your operating system to have a filesystem that can do more than FAT8 with 6.3 character ASCII filenames, 8MB file size limit and no directories. And when adding more and more features into your filesystem (last access time? check. last modification time? check. creation time? whatever. owner? go on. group? ... acls?) you will come to the point where it stops making sense to add specific fields for each and every possible data value. And at that point the only logical solution is to have a generic structure, Extended Attributes in OS/2, File Streams in Windows. Both are basically simple key-value lists. The real interoperability issue here is that there is no way to store those on FAT volumes. So every operating system finds their own way to store them, and every one does it differently. In theory all operating systems could use the corresponding storage system of any filesystem like their own, if they had drivers for those. But they generally don't, so we end up with all that garbage on FAT volumes.

NTFS is showing its age. Windows desperately needs a more modern filesystem. But NTFS is too heavily baked into Windows to be easy to replace.

That's a good use of these, for non-critical information or as a cache, since these alternate data streams generally aren't preserved when sending the file across the Internet.

I used to clear out the viral hidden junk after the Ctrl Z symbol in text files.

Then how did you read it?

@@bruhuk_obama Using apps that ignore the Ctrl-Z character

ANAHEIM is also one NSA project. Coincidence?

Also the ASV utility seems to be pretty useful too.

And the name was ... Any more info on this.

Interesting...

I wouldn't put too much stock in the idea that this is ignored by forensics software though. But it could be a useful way to hide personal info in a way obtuse enough that malicious actors would fail to find it. Basically, don't use it to do illegal things, but it might be useful for stashing say, a crypto wallet's key or keypairs.

@@stevem1097 I think I figured out why there's no software names - every time i put any in, the comment gets nuked. There's two things you want to do to accomplish this. First, manually and arbitrarily mark bad sectors, then read/write to sectors using low level disk access. If you google both topics you should find a few solutions pretty easy (the ones I can't seem to share with you for some reason) Be CAREFUL if you mess with this. You're not working at a level where partitions and files exist anymore. You can seriously mess up your system.

@@stevem1097 I would also suggest that you think about process first, software second, in the future - considering how the comment reads, the actual piece of software, if the original commenter even remembers the name, might very well not exist or be deprecated by now. But if you know what you're trying to accomplish and can translate it into process, you can then attack each step of the problem individually

There are many other possible causes though, use WinDirStat or WizTree to figure out where all your storage has gone

@@ThioJoe thanks for the advice!

that space is most likely held hostage by windows itself. If you have hibernation enabled, there'll be a hibernation file about the size of your system memory where windows dumps its RAM contents before it goes to sleep. So on a system with 16GB of RAM that's 16+GB of your SSD gone. If you haven't configured your system memory manually then windows will create a swap file that can be anywhere from 1GB to 150% of your machine's ram size. A 5GB swap file is pretty normal with memory management set to auto but it can grow much larger than that. My workstation has 128GB of RAM and for normal usage a swap file isn't necessary at all since memory usage is only 10 or maybe 20% ... but left unchecked windows wont hesitate to create a 40-60 GB swap file ... which is of course of no actual use and only slows my system down while eating away at my SSD. By default windows also reserves a considerable portion of disk space for windows update downloads and update backups/ update roll-backs. I think after my last fresh install it was already about 8GB or so. System restore points also take up a lot of space if you create them regularly / before every software installation - which is a good thing to do, but managing restore points and deleting old ones will free up maaany GB instantly. No need to keep more than the latest two restore points really. It's also always good to check the systems temp folder(s) once in a while ... sometimes install packages aren't deleted on shut down for some reason and then linger for quite a while. WIndows by default will also use it's oh so great prefetch and superfetch functions to pre-load/ cache data of frequently used software to speed up loading times. Obviously useless with Sata and NVMe SSD system drives. Windows is a pain in flank these days. On a vanilla W10/11 install with all default settings losing 50-100GB of disk capacity to Microsoft's nonsense is normal.

Interesting story, thanks.

@Evi1 M4chine Well, it's not exactly trivial.

I wrote all this before finishing the video. LMAO Man, you just made me realize that I have the memory of an elephant, bro. 😂🤣

cool story bro

I tried opening streams as admin but nothing happened after the confirmation popup. 🤔

@@zmbdog this platform keeps removing my comments, sorry, dude, I'm done here.

@@furzkram That's ok. I can see your previous comment in my notifications still. Thanks

Hm I'm not sure, I assume it is something Notepad just did by default for some reason since a filetype wasn't given.

It's an NTFS/ReFS/UDF attribute, so it wouldn't work in most cases as this information isn't converted/preserved when copying the file into a zip archive, website, non Microsoft file system, etc. If the ARG consists of a program that install stuff on the computer, then sure this could work as the program can modify/add the alternate data stream attributes but if say the ARG had an image that you'd download off the internet, you can't hide additional information in it. You can only store the contents of the file itself and the file name (not even metadata like permissions is possible). Often a lot of programs like file archivers will retrieve & convert attributes like permissions & access timestamps from the FS to store it in its archive format and then convert & apply it on other systems when a file is extracted, like Windows permissions being read and then stored in the zip archive format which when sent to and extracted on a Linux system, the file archiver will set the extracted file's permissions & access timestamps with the data stored in the archive format during extraction. Alternate data streams are not one of these attributes that most programs preserve as they're pretty specific to Windows systems, unlike more universal things like permissions and access timestamps.

@@ecksdee8072 OK Jesus Christ that is way too complicated for me to understand

@@SusuLakuProductions ok

A platform independent alternative is hiding a zip file insize an image file. Note that this will add to the reported file size and depending on how big the zip file is compared to the expected image size from its quality and all, some people may catch the discrepancy and look into it. Participated in an event where they did exactly that. I believe the practice is called Steganography.

@@Vixel4076 yeah, steganography basically is "hiding a message within another message or object" though depending on which angle you look at it, if you look from the file angle, it is steganography, but if you look from the image side some may not consider it steganography because if you screenshot or convert it losslessly, the hidden file disappears. A decent way to hide info is also within docx files, which are basically zip files with some structure, and can be made fairly large if they contain pictures, so a few hundred kb can pass fairly easily. For larger files, a lot of videogames use a compressed file, sometimes encrypted (but since the game needs to open it, it is possible to get the key), so you can hide a couple gigabytes of files in there.

Though this may have its issues, for example, any non-Windows user would be unable to solve the puzzle. He also mentioned that ADSs would vanish when uploaded to the Internet, so that would force said ARGs to have you run a script or program for the data to appear

@@martinus_mars WinRAR has an option to keep them in when compressing and extracting files. So while it might technically require running a program for it to work, it's at least a program that the vast majority of people are going to have.

Nope, because any Browser overwrites the ADS and you cannot even upload ADS. You can kinda embed them in rar/7zip, but pointless imo.

@@Sypaka Not necessarily. Say you were using a game as a front for your ARG. Assuming that it isn't being distributed though Steam, you'd probably distribute it as a compressed file. You can then have the alternate data streams hidden within game files, allowing for the ARG to work. I already have plans for doing this exact thing myself (although, before hearing about alternate data streams, I was planning on distributing the information through the spectrograms of the game's ost). So yeah, not entirely pointless.

@@alexbubble6952 Depends on the game engine, but I have yet to see a game which has a filestructure, which allows files WITH their ADS to be stored within. However, you could make the game in a way to check, if the current folder is writeable, then extract a file from the gamefiles and move it under a gamefile as an ADS. But be aware, you may get flagged as malicious in heuristics. There is also a shit ton more to do on files itself. I made a file, which opens perfectly as JPG, ZIP, RAR, BAT and HTML all with different contents. Hilarious.

Nano is a linux thing, so I suspect you're using linux, which would probably mean you're using ext*, btrfs, xfs or zfs, none of which, to my knowledge, support alternate data streams. What's imo more likely is that the malware replaced nano, or that for some reason nano has an different inode pointing to the safe file, while the ftp and php servers have one pointing to the malicious one, caching may also be an issue. The way linux usually works is that it has inodes, which point to files, and if a file is replaced, it is actually copied to a new space, and when a new call to open the file is made the new pointer will be given, but the old file is still there while there's a program using it, and so if the file isn't reopened completely, you may have a discrepancy between the two.

This week some time

@@ThioJoe LFGGG

I thought I was super clever back in the day making a batch file "pw manager" with this approach. Hell, it would still throw off most people today but certainly not the most secure method on the planet lol.

FlyTech Videos has a video for this

Yea not surprised, he makes lots of good videos about lesser known windows stuff

I came to the same conclusion after doing a bit of googling. Anaheim was indeed the codename for Microsoft Edge, so Anaheim probably marks the file as being downloaded using Microsoft Edge.

They have "forks" instead of streams on apple file system, so theoretically yea

@unsubtract The classic way Unix/Linux hides files is by starting their names with a dot. But use of this convention must be understood by individual programs. There's no way to tag other files to a main file such that all the files get copied or removed with the main file, unless smart versions of, say, cp, rm, and mv were created. One can view this as either a lot of trouble or a wonderful boon. But for a file to carry a hidden burden of "life altering" content could arguably be seen as unfriendly. Being of older school, I want it to be explicit.

​@@SeekingTheLoveThatGodMeans7648 Yeah, dotfiles aren't attributes of a file system, they're just files like any other. Like you said, them being hidden by default just convention done by the ecosystem and is very very easily toggleable. You can copy dotfiles to a Windows system as normal. No such feature that is similar to forks/streams are present on Linux file systems like ext4 and Btrfs. There's just the file content itself, and then the metadata like uid/gid, inode, access/modify times, and the chattr ones which are stored/exposed by the file system. That's it.

@@ecksdee8072 you are forgetting user_xattr which does allow some extra metadata to be stored with the file, though size limited on ext[4|3|2].

Already planning to rewrite some of my proof of concept malware. To take advantage of this.

The alternate data streams would be hidden if they are encrypted. You can take it a step further but that would be telling :)

not only that, you could have a 1 byte file, that will show 4kb as size on disk because the partition is formmatted with that sector size, and it won't have any streams, its just how disks work

​@@marsovac Yes, that is because NTFS does not allow mpre than one file per sector. Some file systems, e. g. Ext4 and Btrfs, theoretically allow inodes which contain more than one file. However, these files must share the same owner, group, creation and modification time.

@@pi_xiok yes, it depends on the filesystem, but probably there are quirks with those that support more than one file per sector as well. Alignment and padding come to mind to alleviate SMR/CMR differences in reading and writing capabiltiies. My point is that even without streams the method of comparing file size with size on disk is already faulty in concept since it has too many assumptions.

@@marsovac It can even be the other way around. Sparse files (often used for VM images) and compressed files (NTFS allows selective compression) take less space on the disk. NTFS junctions (hardlinks) take only one sector, which is usually 4 KB.

Hmm that could explain it, but i didnt use edge to download them 🤔

@@ThioJoe Maybe is something related to the download of files or a presetup for edge related to the data streams. Remember that Microsoft integrate Ie at os level... maybe is still something of that under the hood. Greetings from Mexico...

I’d be interested in knowing where this registry key is.

I suspect you mean desktop.ini-like hidden files and not alternate data streams

Let's take the moment to spot how fake your 'likes hunting' comment is

@@-COBRA Facts

Cope + WSL

except those processes someone with malicious intent has hidden from the process listings which are also holding open unlinked files, those unlinked files still being written but not appearing is directory listings ...

ThioJoe hearted your comment again Once you edit a comment, the ❤️ will disappear so be careful 🙂

@@_SJ oh phew ty

Well. First you have to actually execute the payload from them. But if your AV can't figure out how to read them or deal with them as they're used it's probably not worth using.