NTFS File Streams Technobabble	6/4/2006 1:19:34 PM
The Windows NTFS file system has for a long long time included support for what is known as "streams". The idea is to view a file as being a container for 1 or more data streams.  Security information for a file for instance could be stored in stream A and the main file data in stream B.  The interesting thing is that the operating system will directly recognize only data stored in what is known as the default stream.  This default stream is always called $DATA and crud stored in this stream alone is used while accounting for things like file size!  To see streams in action try this out (this will obviously work only if your file system is NTFS): Open a command prompt. Type echo This is in the default stream > ding.txt. Type dir ding.txt. System reports the size as being 32 bytes. Now type echo This is in a hidden stream > ding.txt:bar. Type dir ding.txt. System still reports the size as being 32 bytes. Type more < ding.txt. System prints out This is in the default stream. Now type more < ding.txt:bar. System prints out This is in a hidden stream! As it turns out, you can specify a stream name along with the file name to deal with specific streams inside a file (ding.txt:bar). Further, for all practical purposes, data stored in non-default streams seem to get ignored by the operating system. While that is so, when you do things like copy/move files from one location to another the system does ensure that it copies the supplementary stream also with it. Now if you're a worm/virus writer I can see you rubbing your hands in glee thinking of all the security implications. But given that this capability has been around since 1993, chances are, all the security folks already know about it! There's a nice little article on this topic at the following URL. Go take a look! http://www.osronline.com/article.cfm?article=457

aravind	6/5/2006 9:50:10 PM
hmm.. bherry interesting dude.. this was actually not that techy.
Ranju. V	6/9/2006 10:48:24 PM
Yeah. I was pretty surprised when I read about this. It is pretty amazing that a feature as cool as this is as little known as it is!

Please fill this form and click on the "Submit" button to post a comment. All fields except the comment box are optional. You don't have to give me your name and email, but if you do then that might allow me to follow up with you on your comment. Also, I won't publish your email address here or anywhere else.