Streamarmor is an easy to use software program for the Windows operating system that can scan the contents of a hard drive for alternate data streams.

Streamarmor will automatically scan all files for alternate data streams and report its findings in the program’s interface. Each stream is rated as dangerous, suspicious or needs analysis which makes it easier for the user to identify potentially dangerous streams.

A snapshot of the data stream as well as additional information are displayed in the interface as well. Streamarmor uses the three online services Virus Total, Threat Expert and Malware Hash that can be used to scan streams that have been found by the program. The user needs to select one of the discovered streams and the check online button to do that. Only Virus Total is selected by default, the other two services have to be activated in the options.

The alternate data streams can also be viewed completely or saved to a file on the local system. An export option can furthermore save the report of the discovered streams as a html file.

Streamarmor is an excellent software to scan a computer system for alternate data streams. The integration of online threat scanners makes the program easy to work with. The tool is available for 32-bit and 64-bit editions of the Windows operating system.

The program divides the information into four panes and a header area that provides access to a quick partition browser and program help. The other panes are displaying the directory structure, the files and folders in the currently active directory including the amount of streams of each file and folder, detailed information about each stream and a hex viewer that is displaying the contents of each stream.

The default stream is the one that gets executed when the user (double-)clicks on the file. The main advantage of Stream Explorer is that it displays all information in one window.

Basically anything can be added to an existing file (and directory) which brings up an interesting method of hiding important data on the system. Say you want to keep your passwords on the computer but do not want to use a text document to have them in the open. Using Alternate Data Streams to hide them from prying eyes could be a relative secure method of storing the password list on the computer.

They are detectable if the right software is being used. Windows Vista users can also use the dir *.txt /R which is further explained at Bart De Smet’s on-line blog.

To add textual information to any file in Windows you could use the command notepad filename:name for example notepad image.jpg:secret. This would open up Notepad and a blank text file at the first run. Any text that is added and saved during that session will the shown if the user opens the text document with the same command at a later time.

Executable files or other binary files can be added with the type command like this: type c:\text.exe > hello.txt:text.exe which can be executed with the start command start .\hello.txt:text.exe.

Creating NTFS Alternate Data Streams is not complicated at all. You can use the “type” command to do that. To fork the file virus.exe into calc.exe you would use the command type virus.exe > calc.exe:virus:exe if they are in the same directory. Add the path if they are not. The size of the calculator does not change, the only indicator is that the file changed stamp is altered.

But executing those files must be harder, right ? Wrong again. To execute virus.exe you use the command “start”, in our example it would be start calc.exe:virus:exe.

A software like Stream Explorer can find those NTFS Alternate Data Streams on your hard drive. An alternative is List Alternate Data Streams