Not many people working on Windows using the NTFS file system are aware of a feature called Alternate Data Streams (ADS).
First things first: A file system is that part of an operating system which deals with storage and management of files on the disk. Its responsible for the ability to retrieve data from a file when needed. An operating system can support multiple file systems – for example, Windows XP supports at least FAT and NTFS.
Now we come to ADS. Its a feature of NTFS, and allows data to be stored in “hidden” blocks linked to a file. Normal operations such as reading or writing to the file do not reveal the existence of this data. So it can happen that your hard disk is full, yet the file sizes do not reveal the reason. Here is a small ‘test’ I did in this regards (for people who understand command line – a more ‘Windows’ example is available here):
C:\>copy con hello.txt
This is visible to all.
^Z
1 file(s) copied.
C:\>dir hello.txt
Volume in drive C has no label.
Volume Serial Number is A8EB-38D4
Directory of C:\
10/15/2008 12:56 PM 25 hello.txt
1 File(s) 25 bytes
0 Dir(s) 8,501,428,224 bytes free
C:\>echo This is visible only to some > hello.txt:hiddendata
C:\>type hello.txt
This is visible to all.
C:\>dir hello.txt
Volume in drive C has no label.
Volume Serial Number is A8EB-38D4
Directory of C:\
10/15/2008 12:56 PM 25 hello.txt
1 File(s) 25 bytes
0 Dir(s) 8,501,428,224 bytes free
C:\>more < hello.txt:hiddendata
This is visible only to some, and is part of ADS
This is what I did: I created a file called hello.txt with some text. Thereafter, I checked the file-size and it was 25 bytes. I then added some text to the file, but under an ADS named ‘hiddendata’. I again checked the file-size: it was still shown as 25 bytes, and the contents did not show the content of the ADS. However, when I directly asked to be shown the content of the ADS, it was shown to me.
Windows may use ADS to store access related information, or anything it wants to. In particular this is used to store “zone” information – when a file is downloaded from the internet and you see a warning when executing the file – its because of this zone information stored in the ADS. To remove ADS from a file, a quick way is to copy it to a FAT device and then copy it back. Since FAT cannot hold ADS, it gets deleted.
Virus writers, however, may use this feature for anything: they can store their own files without anyone noticing. Can you run an executable file directly off an ADS? You bet:
C:\>start /b c:/hello.txt:hello.exe
C:\>
Hello, World.
Hence it’s important to keep an eye on your NTFS drives. One way to do this is to use a tool called LADS. It comes with a very nice FAQ on ADS. Another tool, one that I haven’t tried myself is LNS.
The official word from Microsoft is here, and another interesting PDF is here.
LADS can be run on a partition, say C: as below:
lads c: /s
If you notice anything strange beyond “Zone.Identifier” or “Thumbs.db:encryptable” – especially a file with ‘exe’ extension – it can be a cause for concern.