Task 1: Hiding Files Using NTFS Streams

1. Start Windows 7 VM.

2. Create a folder called YourName on the c:\ drive

3. From the start menu, Open command prompt and navigate to c:\YourName by typing the following command in the command prompt:

cd c:\YourName

4. Type the below command in the command prompt and press enter

notepad readme.txt

5. readme.txt appears in Notepad (click the Yes button if prompted to create a new readme.txt file)

6. Type Hello World!

7. Save and close the file

8. Note down the file size of the readme.txt by typing dir in the command prompt.

- File size: _________

9. Now hide calc.exe inside the readme.txt by typing the following command in the command prompt:

type C:\Windows\System32\calc.exe>readme.txt:calc.exe

10. Type dir in command prompt and note down the file size of readme.txt.

- Did the size of readme.txt change?

11. Type dir /r in command prompt and note the file size of readme.txt again

- What are the results of this command?

- Provide a screenshot.

12. Download Stream Detector from https://www.novirusthanks.org/products/stream-detector/ and install it. Use it to extract the hidden file.

13. Start Stream Detector and click on Browse.

14. Select C:/YourName and click Ok then click on Scan button. Note the results under Stream Name, Content Type, and Size.

- Provide a screenshot of your results.

15. Right click on the Stream name then click on Extract Stream from the drop-down menu. This will save the stream onto Stream Detector\Extracts folder.

16. Close the Stream Detector.

- What is NTFS? Explain what does it stand for?

- What is ADS ? Explain what does it stand for?

- Discuss how ADS can be used maliciously?

- Discuss another alternative parameter/method for hiding files.

17. Now, hide a text file (secret.txt write inside it this is my first evil file) inside another text file (readme1.txt). Provide all steps in details then extract the hidden screen and provide a screenshot for the extracted hidden stream.