NTFS File Streams

The Windows NTFS file system has for a long long time included support for what is known as "streams". The idea is to view a file as being a container for 1 or more data streams. Security information for a file for instance could be stored in stream A and the main file data in stream B. The interesting thing is that the operating system will directly recognize only data stored in what is known as the default stream. This default stream is always called $DATA and crud stored in this stream alone is used while accounting for things like file size! To see streams in action try this out (this will obviously work only if your file system is NTFS):

  • Open a command prompt.
  • Type echo This is in the default stream > ding.txt.
  • Type dir ding.txt. System reports the size as being 32 bytes.
  • Now type echo This is in a hidden stream > ding.txt:bar.
  • Type dir ding.txt. System still reports the size as being 32 bytes.
  • Type more < ding.txt. System prints out This is in the default stream.
  • Now type more < ding.txt:bar. System prints out This is in a hidden stream!

As it turns out, you can specify a stream name along with the file name to deal with specific streams inside a file (ding.txt:bar). Further, for all practical purposes, data stored in non-default streams seem to get ignored by the operating system. While that is so, when you do things like copy/move files from one location to another the system does ensure that it copies the supplementary stream also with it. Now if you're a worm/virus writer I can see you rubbing your hands in glee thinking of all the security implications. But given that this capability has been around since 1993, chances are, all the security folks already know about it!

There's a nice little article on this topic at the following URL. Go take a look!

http://www.osronline.com/article.cfm?article=457

comments powered by Disqus