Revision as of 13:08, 28 November 2005 editAlistairMcMillan (talk | contribs)Administrators33,791 edits Remove dup NTFS links. Remove dup (bordering on spam) diamondcs links.← Previous edit | Revision as of 14:25, 28 November 2005 edit undoGorgan almighty (talk | contribs)Extended confirmed users1,801 edits →External linksNext edit → | ||
Line 29: | Line 29: | ||
* from Microsoft.com | * from Microsoft.com | ||
* by Don Parker writing for SecurityFocus.com | * by Don Parker writing for SecurityFocus.com | ||
* from Diamond Computer Systems Pty. Ltd. | |||
* by Ray Zadjmool writing for WindowsSecurity.com | * by Ray Zadjmool writing for WindowsSecurity.com | ||
* - a tool to search for NTFS alternate data streams | * - a tool to search for NTFS alternate data streams |
Revision as of 14:25, 28 November 2005
In computing, a fork is additional data associated with a file system object. Filesystem forks are traditionally associated with Apple's Hierarchical File System (HFS), however they are also available in Microsoft's NTFS filesystem, where they are known as alternate data streams. Other filesystems such as Novell's Novell Storage Services (NSS) and Netware File System (NWFS), and Veritas Software's Veritas File System (VxFS) also support filesystem forks, some pre-dating Microsoft's implementation.
HFS was designed to use resource forks to store metadata about a file that would be used by the graphical user interface (GUI) of the Apple Macintosh, such as a file icon or an image preview. However the feature was not limited to GUI data, so additional uses were found, such as splitting a word processing document into content and presentation, then storing the presentation information in the resource fork. One particular non-obvious use is that prior to Mac OS X, Postscript Type 1 fonts have traditionally been stored entirely in the resource fork, the data fork being empty.
Starting in 1985, NWFS and its successor NSS were designed from the ground up to use a variety of methods to store a file's metadata. Some metadata resides in Novell Directory Services (NDS), some is stored in the directory structure on the disk, and some is stored in, as Novell terms it, 'multiple data streams' with the file itself. Multiple data streams also allow Macintosh clients to attach to and use Netware servers.
Filesystem Forks on Microsoft NTFS Filesystems
Support for filesystem forks (aka alternate data streams, ADS) were added to NTFS so that servers running Windows NT could host files for Macintosh users. With Windows 2000, Microsoft started using alternate data streams in NTFS to store things such as author or title file attributes and document thumbnail images. They are also used for tagging an executable file downloaded directly from the internet so that a warning message can be displayed when the executable file is run.
Security Concerns & Virus Threats
Security experts around the globe have warned of the HUGE security risk that ADS poses on NTFS file systems. The concerns are centered around the fact that any type of file, including executable files can be stored inside the ADS stream of any other file or directory. For example, a virus executable can be stored in the ADS of a text file. In this example, it would not be possible to find the executable file unless you already knew of it's existance. Windows Explorer provides no method of finding these additional data streams, and does not report the file size of the ADS stream.
Any file can be embedded in another file's ADS stream very easily. The syntax is as follows:
type C:\path\to\virus.exe >C:\path\to\textfile.exe:virus.exe
The file can then be run from the Command Line, a Windows Shortcut, or the Windows Registry as follows:
C:\path\to\textfile.exe:virus.exe
Other important points to note are:
- The file size of the ADS stream will not be reported in Windows Explorer or any other program that relies on the Windows API. A 10 byte text file could have a 5 MB ADS stream attached to it, and it would still be reported as 10 bytes.
- There is no way of determining if a file contains an ADS stream. The stream can only be accessed if you know it's name.
- There is also no limit to the file size of the ADS. A 10 byte text file can have an ADS of 2 gig. This can potentially be used by a Trojan to fill up disk space on the hard drive, and you'd never be able to find where it all went.
- Currently, very few virus scanners can scan the contents of ADS streams, however there are now a number of third-party tools that can remove ADS streams.
- ADS streams can only exist on NTFS file systems. They cannot exist on FAT32 file systems, and they cannot be transferred across the web or through E-mail. They can however to transferred through Shared Folders if both the source and the recipient use NTFS file systems.
External links
- Apple Glossary
- Multi-Fork File System
- How To Use NTFS Alternate Data Streams from Microsoft.com
- Windows NTFS Alternate Data Streams by Don Parker writing for SecurityFocus.com
- NTFS Streams - Everything you need to know (demos and tests included) from Diamond Computer Systems Pty. Ltd.
- Hidden Threat: Alternate Data Streams by Ray Zadjmool writing for WindowsSecurity.com
- LADS List Alternate Data Streams - a tool to search for NTFS alternate data streams
- LNS List NTFS Streams - a tool to search for NTFS alternate data streams
- ScanADS Scan Alternate Data Streams - an open source tool to scan NTFS alternate data streams