As already explained the most common reason for the size difference is used space vs. allocated space. But it's not the only possible one, NTFS has a feature to add hidden data to files. This possibility was the one exploited by the healthcare industry ransomware late 2019.
File fork and alternate data stream
"Resource fork" has been used by Apple since 1984 (Macintosh) to store the main content of a program (instructions) and the associated resources (like icons and menus) in the same file. Embedding resources in executable files is a common technique, but doing it with forks isn't.
Apple consistently designed the Macintosh file systems to support file forking, and when Microsoft designed NTFS to replace FAT, fork was also introduced under the name of "alternate data stream" (ADS).
In NTFS, a file contains:
- The mandatory unnamed data stream (UDS)
- One or more optional alternate data stream(s) (ADS).
Hidden in plain sight
File forking isn't bad, except NTFS ADS are not supported by common tools, including Windows Explorer, ADS is de facto a hidden feature, an unexpected gift for hackers. From Wikipedia:
Alternate streams are not listed in Windows Explorer, and their size
is not included in the file's size.
While the file size, which reports only the UDS size, isn't changed by ADS existence, the allocated size (clusters allocated to the file by the file system) reports the actual size of the file, all streams included.
Windows explorer doesn't report ADS, neither the CMD command dir
. However ADS are visible with:
Note it's still possible to hide ADS from some of these tools by using file system reserved keywords (see Pierce's document linked below).
Comprehensive description of ADS worth reading:
Malware use of ADS
Serious anti-malware tools watch for ADS, but malware still uses ADS, at large scale, because:
- Some security suites are not even ADS aware, or can't identify malicious uses of ADS.
- It's easy to redirect the execution of a legitimate file to an ADS (e.g. using a shortcut).
BitPaymer
The ransomware BitPaymer enters the computer as a normal and visible file, but when executed copies itself in a legitimate file as an ADS, then delete the initial file. As this doesn't change the size of the legitimate file, and ADS are not listed by common tools, the malware is now virtually hidden.
Operation Cobalt Kitty
Also hides using ADS.
My point is: In case of big file size difference observed (more than a cluster size: 4KB), don't overlook the possibility of ADS, and hidden malware.
Experiment ADS yourself
To safely experiment with ADS, try this at DOS/CMD level...
Create and then display the content of a file in the root of C:
C:\> echo The main data stream> test.txt
C:\> type test.txt
Result:
C:\> The main data stream
Now add an ADS with the same method, just specify the ADS name in addition of the file name:
C:\> echo The secret message> test.txt:secret
You have just hidden the secret message in the file. Note that the file size in Explorer has not changed in spite we added bytes in the ADS "secret".
Try to display the ADS content:
C:\> type test.txt:secret
Result:
The filename, directory name, or volume label syntax is incorrect.
CMD type
is not able to display the content of the ADS. We will use Notepad instead:
notepad test.txt:secret
In Notepad we can see the content of the ADS:
The secret message
You can also hide a full executable in an ADS of an innocent text file, and run it at any time. Wealth does not harm for hackers :-)