Overview Introduction Importance Origin NTFS Stream Basics Usages Demo Issues API Tools
Introduction A file is more than one file A file can act as container for other files One visible None or several invisibles Any kind of content of any size A file is basically the first stream of a file
Importance ADS is part of the NTFS infrastructure Is a mechanism that cannot be disabled ADS can contain data Content must be taken into account by backup ADS can contain code Existence must be taken into account by antivirus Potential danger (WNT.Stream virus) ADS are almost unknown ADS are almost invisible
Origin ADS exist since the inception of Windows NT 3.1, enabling Windows and Macintosh clients to share files. Data (content) and resource (management) forks Windows servers host resources through the FSFM service.
NTFS Basics - MFT Information about files on a NTFS partition is located in a construct called the Master File Table One record hosts a collection of attributes that document a file
NTFS Basics - Streams A File is a collection of attributes All are stored as (logically) separated streams Some are mandatory (name, time stamps ) Some are optional (security descriptor) Some may appear more than once (LFN/8.3, data ) Standard info LFN 8.3 Security Data Code Code Encryption
NTFS Basics File Content The content of a file is one stream among others Strictly speaking, NTFS doesn't manage files, it manages streams $STANDARD_INFORMATION General attributes (read-only, archive, time stamps, file creation, last modified). $FILE_NAME A file can have two filename attributes when a file with a long name has an automatically generated "8.3 name. $SECURITY_DESCRIPTOR Access Control List (DACL), Audit Control List and Integrity Level (SACL). $DATA Files have one default (unnamed/anonymous) data attribute (content of a file) and can have several (named) data attributes. Directories have one (default/unnamed/anonymous) data attribute (content of a directory) and can have several (named) data attributes.
Properties Streams share many properties
Windows usage Windows Explorer Zone Model The trust level of some downloaded files is stored inside a text file saved as an ADS and named Zone.Identifier [ZoneTransfer] ZoneId=3
Windows usage Icons for Favorites are saved in an ADS of the URL files
Windows usage Changes of entries in the Journal File are store in an ADS named $J \$Extend\$UsnJrnl $STANDARD_INFORMATION (resident) $FILE_NAME (resident) $DATA $J (nonresident) logical sectors 23039352-23090447 (0x15f8d78-0x160550f) logical sectors 26399296-26400295 (0x192d240-0x192d627) logical sectors 60720016-60728719 (0x39e8390-0x39ea58f) logical sectors 184110184-184110951 (0xaf94c68-0xaf94f67) logical sectors 60967328-60968351 (0x3a249a0-0x3a24d9f) logical sectors 58715456-58716479 (0x37fed40-0x37ff13f) logical sectors 58572096-58580287 (0x37dbd40-0x37ddd3f) $DATA $Max (resident)
Windows XP usage XP generalizes the Office Summary to all files Office Summary are stored in OLE streams Others Summary are stored in ADS streams DocumentSummaryInformation SebiesnrMkudrfcoIaamtykdDa SummaryInformation
Windows 2000 usage Thumbnails Explorer View encryptable ADS is added to the Thumbs.db files Indexing Service Q30lsldxJoudresxAssqpcawXc" ADS stream is added to image files
Demo Syntax Create an ADS into a file Create an ADS into a directory Open a file located in an ADS Run a program located in an ADS
API Documented CreateFile, ReadFile and WriteFile BackupRead, BackupSeek and BackupWrite Starting with W2K3 FindFirstStream FindNextStream IZoneIdentifier COM interface Undocumented NtQueryInformationFile
Management Tools No real Windows built-in tool Nfi Windows Resource Kit File Monitor - www.sysinternals.com Streams www.sysinternals.com Sfind www.foundstone.com CmdStream/ShowStream
Evolution Support the enumeration of ADS (starting with Vista)
Issues Backup & restore Forensic DOS Attack Code Execution Detection and removal Window Resource Protection (WRP) Misuse of valid ADS Anti Virus File Version System Control (eg. SVN) Windows Scripting Host User Account Control (UAC) Unsupported on other file systems
Summary ADS exist ADS cannot be disabled ADS can be used ADS can be misused