Frank Heyne has written a small FAQ on Alternate Data Streams in NTFS. David LeBlanc published
Detecting Alternate Data Streams. Mark Russinovich at
www.sysinternals.com has released freeware utility Streams which displays NTFS files that have alternate streams
content. Useful to Windows NT admin. Crucial Security has released a similar
freeware tool, CrucialADS.
The NTFS file system provides applications the
ability to create alternate data streams of information. By default, all data is
stored in a file’s main unnamed data stream, but by using the syntax
“file:stream”, you are able to read and write to alternates. Not all
applications are written to access alternate streams, but you can demonstrate
streams very simply. First, change to a directory on a NTFS drive from within a
command prompt. Next, type “echo hello > test:stream”. You’ve just created a
stream named ‘stream’ that is associated with the file ‘test’. Note that when
you look at the size of test it is reported as 0, and the file looks empty when
opened in any text editor. To see your stream enter “more < test:stream” (the
type command doesn’t accept stream syntax so you have to use more). NT does not
come with any tools that let you see which NTFS files have streams associated
with them, so I’ve written one myself. Streams will examine the files you
specify and inform you of the name and sizes of any named streams it encounters
within those files. Streams makes use of an undocumented native function for
retrieving file stream information. Full source code is included.
You can download ads_cat from Packet
Storm. ads_cat is a utility for writing to NTFS’s Alternate File Streams and
includes ads_extract, ads_cp, and ads_rm, utilities to read, copy, and remove
data from NTFS alternate file streams.
Streams technology was used to create a new type virus. See Malicious
code exploits unique Win2K function
David LeBlanc has written a tutorial on Detecting Alternate Data Streams
Carvdawg’s
Perl Page has scripts Astream.pl and ads.pl. Astream.pl is a Perl script
that demonstrates how an NTFS alternate data stream (ADS) can be created
programmatically. Ads.pl is a script that detects ADSs. Ads.pl is based on Dave
Roth’s streams.pl script from his latest book, with some modifications added to
include checking the directory listing. Thanks goes to Frank Heyne for pointing
out how to check the directory listing for ADSs.
NTFS Tips:
Managing Shared Resources and Resource Security
Choosing
Between FAT and NTFS
Web
versus NTFS Permissions
NTFS
Security, Part 2: Implementing NTFS Special Permissions on Your Web Site
Getting the Most from IIS Security
NTFS Permissions
Cancel an NTFS conversion
NT equivalents of
NetWare Rights
Access
NTFS from DOS, Win95 or Win98 using NTFSDOS driver
NTFS Last Access TimeStamp
xcopy – keep attributes
How To Remove Files
with Reserved Names such as LPT1 or PRN
NTFS Metadata files
Disable NTs 8.3 aliases for
LFNs under NTFS
Streams
displays which NTFS files have alternate streams content
VolumeID changes NT and FAT volume
IDs
Create a NTFS
partition over 4GB during installation
Windows NT NTFS Directory
Compression