When NTFS was introduced for the Windows NT platform, one of the features that was added was 'alternate data streams' (ADS). This was specifically added to allow for a similar concept of 'forks' for Mac users to allow them to maintain their 'data fork' and 'resource fork' for files and use NTFS as a network data share.
A file stream is essentially metadata added to a file that doesn't interfere with the contents of the file. One way to see this data is to look at the 'Summary' tab of a file.
But as you can see, the comments section in particular can be quite lengthy. Note that not all file streams appear here, others may be included. Also, the space used by the file streams is not used when calculating the file size, so adding more data to the ADS does not change the size reported by the OS.
This method is also used in other ways. Icon files are associated with the URL shortcut files for IE as a file stream and the blocking of downloaded files from execution is handled through ADS. Microsoft provides a tool to let you find files that have streams attached to them. You can read about it here http://technet.microsoft.com/en-us/sysinternals/bb897440.aspx
The Bad and The Ugly
This method can be used to make both text and binary files difficult to find. It's even possible to use the command shell to make an executable file (such as notepad) an ADS for a pre-existing executable (such as the calculator application), rename the executable and run it! This sample screenshot shows what happens when notepad.exe is added as an ADS called 'runtime.exe' to the calc.exe file and is executed. In this case, the notepad executable is being run from the runtime.exe ADS for the calc.exe.
Fortunately, you see the shenanigans when looking at the task manager. Also, all of these activities require someone with sufficient permissions. This means, that your system would already have to be compromised for this to happen.
A file stream is essentially metadata added to a file that doesn't interfere with the contents of the file. One way to see this data is to look at the 'Summary' tab of a file.
But as you can see, the comments section in particular can be quite lengthy. Note that not all file streams appear here, others may be included. Also, the space used by the file streams is not used when calculating the file size, so adding more data to the ADS does not change the size reported by the OS.
This method is also used in other ways. Icon files are associated with the URL shortcut files for IE as a file stream and the blocking of downloaded files from execution is handled through ADS. Microsoft provides a tool to let you find files that have streams attached to them. You can read about it here http://technet.microsoft.com/en-us/sysinternals/bb897440.aspx
The Bad and The Ugly
This method can be used to make both text and binary files difficult to find. It's even possible to use the command shell to make an executable file (such as notepad) an ADS for a pre-existing executable (such as the calculator application), rename the executable and run it! This sample screenshot shows what happens when notepad.exe is added as an ADS called 'runtime.exe' to the calc.exe file and is executed. In this case, the notepad executable is being run from the runtime.exe ADS for the calc.exe.
Fortunately, you see the shenanigans when looking at the task manager. Also, all of these activities require someone with sufficient permissions. This means, that your system would already have to be compromised for this to happen.
Also, this information is only accessible on NTFS file systems and is not included when sending files over the network (unless it's to / from an NTFS file share).
Hopefully, this will shed some light into the inner-workings of the file system and explain some behavior you may have seen.
No comments:
Post a Comment