What do I have to be cautious about if I use Alternate Data Streams?

Article Filed Under: Backup and Recovery, Security, Basics, Malicious Code, Mac OS, Vulnerabilities & Exploits, Features, Windows, Tip/How to Login or register to post comments Comments RSS Feed Comments 11 Comments Figure 1 explains quickly how you can have hidden streams attached to your main file. When it's turned on, 'AlternateStreamView' item is added to the context menu of Windows Explorer, and allows you to check the alternate streams of a single file.

so not sure how to get higher; there must be another factor than just count of streams. 1 year ago Reply jorge Excellent article mate 🙂 Thanks for taking the time ShellExecute) a stream? Secret salts; why do they slow down attacker more than they do me?

Yes, I am talking about alternate data streams (ADS). Resource forks are used to store application metadata (icons, sounds, fonts, etc.).

Let me remind you, I don't recommend or even suggest to remove them. Both streams (or forks) are linked to one name in the Macintosh file system.

STREAM.EXE can't display what's actually in an ADS. What happens if I copy/cut the "Host" File to another (NTFS) Path? As such, there will be some scenarios that NTFS is a better fit and some where ReFS is the logical choice.

They are all hidden and no windows utility provide you facility to show them up in windows explorer. Is it possible to have another Stream in an existing stream? Till then, it's best to use NTFS to NTFS restore.

http://blogs.technet.com/b/askcore/archive/2010/08/25/ntfs-file-attributes.aspx You might want to review that blog before continuing. This is the cool thing about ADS, since it is part of the file, it moves with the file.

Copying to NTFS: Windows Explorer and the copy commandline utility copy all streams. While your pc get errors like "Unable To Query Alternate Data Stream", you will discover lots of techniques to fix it on the internet, but some of the need you understand The big deal is that since ADS isn't easily visible, it has become a cute way to hide data.

To delete this marker (the alternative stream) manually, you should only click Unblock in the file properties.

Derek Bem and E.Z.

If I save a file to a USB flash drive (which is normally formatted as FAT32), will I lose the stream content? The use of Alternate Data Streams is not a feature that can be disabled and currently there is no way to limit this capability against files that the user already has In addition to the legitimate usage of alternate streams, this technique may also be used by Viruses/Trojans/Spywares for saving data and hiding it from the user.

Added 'Explorer Context Menu' option. However, if the Web site also have an icon (favicon), the icon is saved as alternate stream for the same url file.

It is the part of the file we put data into. Figure 6: ADS handling by Class 2 backup software Class 3 ADS-aware software, which can be seen as an unfinished implementation of Class 4, and it does not warrant closer investigation. And now that I know the name of the ADS, I can use the Get-Content cmdlet to query its contents. Can you restore that?

Preferably supported on Windows Server 2008? Very well explained. Are two standard normal random variables always independent? Whatever backup application you are running with, my advice on this to check if your ADS are intact or not.

The stream name in this case is SummaryInformation:$DATA. It will open your eyes to the malicious side your employer. Figure 4 : ADS handling by Class 0 backup software (non-ADS aware) Class 1 (Figure 5): ADS-aware software, which handles ADSs properly only within NTFS environment.

Can you restore that? The majority of applications (including Windows Explorer) work only with the standard stream and cannot read data from the alternative NTFS data streams. If you don't specify this option, the list is sorted according to the last sort that you made from the user interface.

http://technet.microsoft.com/en-us/sysinternals/bb897440.aspx STREAMS.EXE will display any ADS the file has.