Reading and Writing NTFS Streams

by Jan 27, 2014

When a file is stored on a drive with NTFS file system, you can attach data streams to it to store hidden information.

Here is a sample that hides PowerShell code in an NTFS stream of a script. When you run this code, it creates a new PowerShell script file on your desktop, and opens the file in the ISE editor:

$path = "$home\Desktop\secret.ps1"

$secretCode = {
  Write-Host -ForegroundColor Red 'This is a miracle!'

Set-Content -Path $path -Value '(Invoke-Expression ''[ScriptBlock]::Create((Get-Content ($MyInvocation.MyCommand.Definition) -Stream SecretStream))'').Invoke()'
Set-Content -Path $path -Stream SecretStream -Value $secretCode
ise $path  

The new file will expose code like this:
(Invoke-Expression '[ScriptBlock]::Create((Get-Content ($MyInvocation.MyCommand.Definition) -Stream SecretStream))').Invoke()

When you run the script file, it will output a red text and beeps for a second. So the newly created script actually executes the code embedded into the secret NTFS stream "SecretStream".

To attach hidden information to (any) file stored on an NTFS volume, use Add-Content or Set-Content with the -Stream parameter.

To read hidden information from a stream, use Get-Content and again specify the -Stream parameter with the name of the stream used to store the data.

Twitter This Tip! ReTweet this Tip!