|Learning About Computers and the Internet|
NTFS files and directories can contain separate, independent units of data called "streams" or "forks". These alternate data streams are hidden to most operations. Their properties and management are discussed.
A somewhat obscure feature of files stored on NTFS formatted media is the capability for a file to contain separate and independent collections of information. These units of data have been given the name "streams" since they are sequences of bytes, All files have one default unit of data or "stream" , which is the part that we usually mean by "the" file. It is also the part that the Windows system associates with the file name. In addition, however, a file may contain other, alternate data streams. Alternate data streams (ADS) are not generally known outside of technical circles and are hidden from many of the usual ways that files are listed. They are not listed in Windows Explorer, their size isn't added to the listed file sizes, and they are not listed by a normal "dir" command. In many respects they are invisible. Yet an alternate stream can contain a variety of information. It may be information about the file (metadata), security settings, or even another file.
Managing alternate data streams
An alternate data stream is named with the notation:
Finding alternate data streams
Since ADS are not listed in the usual places, how can we find them? The easiest way is to download one of the utilities that are available for listing ADS. I have tried two. Both"Streams" from Microsoft Sysinternals and "LADS" from Frank Heyne work fine. Given a file or folder to search, a list of any streams that are found will be displayed. Operations with ADS are generally carried out in the command prompt and each utility is simply a file that is used in the command line. Place the file anywhere convenient. However, a folder that is in the path environment usually makes things easier. A command using the program "Streams" might read:
In Vista, a switch /R has been added to the directory command that allows the listing of alternate streams. To list streams, use the command
Viewing or accessing alternate data streams
If you know the name of a stream, some Windows applications can view or even run a stream. If the stream consists of text, you can enter into the command line:
A stream can also have binary content or even be an executable file. For example, the stream might be a picture. The accessory Paint can open an image stream thus:
Note that the same file that has a text stream could also have a binary stream (or several).
Even an executable file can be a stream on a text file. An innocent looking 1 KB text file can actually contain a hidden (and large) executable file, If an executable stream is present, it can be run by the command:
Creating alternate data streams
It is very easy to add an alternate data stream to an existing file. Again we make use of the command line. To create a new stream containing some text enter the command:
Adding an entire file, including binary files, as a stream is done by the command:
Alternate data streams can also be attached to a directory with similar commands.
Since an executable file can be hidden inside an otherwise harmless file, a malicious file could be hidden by this method. Fortunately, major anti-virus programs can recognize alternate streams. Also, a hidden file in a stream is removed when a containing file is copied to a non-NTFS medium like most thumb drives or emailed as an attachment. Further, a file in a stream will not survive the usual download methods. The utility "Streams" discussed above has a switch for deleting ADS.
Additional informationMore information about alternate data streams can be found at these references:
|<< Home page||©2002-2016 Victor Laurie||Home page >>|