Problem solve Get help with specific problems with your technologies, process and projects.

What to do when deleted doesn't mean gone

Sometimes with NTFS, even deletion tools don't delete everything.

In the NTFS file system, a facility exists to bind additional data to a file or directory, called an alternate data stream (see here and here for more information). These alternate data streams cannot be removed, unless the parent file or directory is destroyed. Unfortunately, most file-wiping utilities only deal with the primary data stream and do not wipe the alternate data streams, thus leaving data intact.

If data is stored in an alternate data stream attached to a file (such as the thumbnail of an image) or directory, when this file or directory is wiped the information contained within the alternate data stream will be left intact on the hard drive. No warning is given to the user at all by Windows or the wiping programs. For example, if you use Windows file explorer (the default file browser in Windows) and have thumbnails of pictures enabled (the default setting) then the thumbnail of the thumbnail image, once created (i.e. once the directory is viewed in Explorer) will not be deleted until you delete the file and wipe all free space. Alternate data streams also provide an ideal location to keep attack tools, snippets of virus code and so forth. In fact, some virus scanners do not scan alternate data streams unless specifically configured to do so (often labeled as "scan all files" or similar).

The good news is that floppy disks and most other removable media are not formatted as NTFS, thus it is unlikely that copied files will contain the alternate data streams. Also, not all compression programs, such as WinZip, copy the alternate data streams, while others such as WinRAR do copy the alternate data streams. While it is unlikely that files with alternate data streams will have made it to other systems with their alternate data streams intact it is possible, and any systems that have had sensitive data copied or moved to them should immediately have their free space wiped in order to ensure alternate data streams containing sensitive information are still present.

To test this, create a file with an alternate data stream:

echo "this is a text file" > C:file.txt
echo "this is the alternate data stream lkajhkl2" > 

If you use forensics software to examine the hard drive, you will find the string of text "this is the alternate data stream lkajhkl2" present on the drive.

Now, using the file wiper of your choice (BCWipe, etc.) choose the file C:file.txt and wipe it. Use any many passes as you want.

Now examine the drive for the string "this is the alternate data stream lkajhkl2". You should be able to find it. To do this using Linux, simply create an image file of the drive and examine it using grep or strings:

dd if=/dev/hdb1 of=windows-disk.img
grep "this is the alternate data stream lkajhkl2" windows-disk.img
strings windows-disk.img > windows-disk.strings
grep "this is the alternate data stream lkajhkl2" windows-disk.strings

As you will quickly discover the data is easily found.

Alternate data streams are only available on NTFS file systems, making home users with older systems (Windows95, Windows98, WindowsME) immune to this problem, but newer systems based on WindowsXP are capable of using NTFS, thus potentially exposing customers to risk. NTFS is also available on most corporate systems such as WindowsNT, Windows2000 and WindowsXP.

Another "feature" of alternate data streams is that they cannot be deleted. If you have an alternate data stream attached to a file, you cannot delete it. You can write other data to the stream, however you cannot reliably delete it. To overwrite an alternate data stream, simply place more data into it, for example:

echo "this will overwrite existing data in the stream" > C:file.txt:alternate-data-stream
type notepad.exe > C:file.txt:alternate-data-stream ***

Several workarounds exist, and several vendors are in the process of updating software so as to fix the problem.

The first workaround is to avoid using alternate data streams to store sensitive information. To check for alternate data streams several free tools exist, one of the best of which is LADS from Frank Hayne Software. Simply download and unpack it, then run it from your root drives (e.g. C:, D:). It should find and report any and all alternate data streams present. Because alternate data streams cannot be deleted, tools to detect them are quite effective. Once found, you should securely delete the files and proceed to the next workaround, wiping free space, in order to ensure the alternate data streams are deleted.

The second workaround is to immediately use the "wipe free space" feature present in most secure file deletion utilities. Since the parent file or directory that the alternate data streams were attached to have been deleted, the data in the alternate data streams is now in "free space" on the hard drive, thus using "wipe free space" will overwrite it. The downside of this workaround of course is that wiping all the free space on a hard disk can take quite some time, especially on a modern disk that may have several tends of gigabytes of free space to wipe. One note on this: Wiping free space may not be possible or effective on network shares using NTFS, it is recommended to encrypt truly sensitive data on NTFS network file systems.

A third workaround is to encrypt sensitive data, Windows 2000 offers encrypted file system, or you can use programs such as PGP's PGPDisk or Jetico's BestCrypt. It is recommended to use encrypted disk partitions rather then encrypting single files, encrypted disk partitions are much easier to work with, type in a password and you have access, when you are done you do not need to worry about encrypting the file, as the data is kept in an encrypted state on the hard drive. Additionally temporary files stored in the same directory (such as opened word files) will also be kept in an encrypted state, reducing the need for you to wipe free space.

About the author
Kurt Seifried is an Information Security Analyst with interests ranging from Microsoft and UNIX systems to network protocols and encryption (to name but a few). He has written a large number of articles (available online) and maintains many resources on his Website. He was formerly the senior analyst and main writer for SecurityPortal. Visit his site at

This was last published in October 2002

Dig Deeper on Network intrusion detection and prevention (IDS-IPS)

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.