RSS Feed

Hiding Data

Created: 01.10.2020

Alternative data stream

Alternate data streams. Specific for Windows. See more here. Are there such streams for other OS? If yes, how to make them and discover them?

To ensure compatability between NTFS and HFS. Allows hiding files.

C:\type C:\mal.exe > C:\readme.txt:naughty.exe
start readme.txt:naughty.exe
C:\mklink innocent.exe readme.txt:naughty.exe

# to run

But dir /r - will display all streams. LNS and Sfind will hunt down such files. Also, when you copy files from and to a FAT partition - all residual files will be deleted.


Specific for Windows. See more here or here.

As an example, see HKEY_USERS/Software/Microsoft/Internet Explorer/Scripts/1. Doesn’t have anything. Add Multistring value, name “Hidden data”, click key and start with random data like 0x111110000 to make it look legitimate, press many spaces to hide it from preview. Add some secret data, ignoring warnings about empty strings. Now, it will be difficult to find this.

💡 Interesting idea for security policies. Everyday automatically run RegShot upon system start and before turning off to see the changes everyday. In case of an incident, there might be very helpful. How costy would that tactics be?


attrib +h

Documents Metadata

Possible for any OS. Examples for Windows might include macros. For Office doc - File -> Info -> Comments. Click file and properties -> Details. Other fields can be used to store information. In case of Office docs, most of the data is not the contents, but formatting and metadata. When adding comments, file’s last accessed and modified dates are updates and the file size is increased.

Tools 🛠:

  • Metadata Assistant. Commercial. Not too expensive. bulb 💡 May be I should write a python tool that does the same?
  • strings.exe + grep - simple string search for known case-specific keywords.


Logs can be disabled, cleared or tamprered. The noisest is to diable them or clear. Although the evidence is deleted this way, this is a very strong indicator that the sysmtem was compromised.

  1. application APPEVENT.EVT
  2. system SYSEVENT.EVT
  3. security SECEVENT.EVT

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Eventlog allows to change log location. By default, logs are here: System32\Config.

  • MRU - most recently used
  • cache
  • cookies
  • turnoff Autocomplete
  • clear Toolbar


C:\auditpol \\targetIPaddress /disable delete recent docs.

Bad clusters

Edit $BadClus file to mark a block of sectors to be skipped by file system (NTFS). 🛠 Metasploit can do it.



In case of FAT systems, they read the root directory from top to bottom and stop at the directory starting with 0x0. Anything past that value is not seen by the OS. Sometimes there might be information hidden there. More here.


Service Hijacking and Replacement.

Process Injection.

Filename/Service Hijacking.


WebShells and Beacons.


DLL Injeciton.

A/V Bypass.

Defense Manipulation.

Frequent Compilation.

Binary Padding.


Dormant Malware.

Signing Code with Valid Cert.



“Fileless” Malware.


[1] Hiding data in the registry, M. Suhanov