| Revision as of 11:50, 28 November 2005 editGorgan almighty (talk | contribs)Extended confirmed users1,801 editsNo edit summary← Previous edit | Revision as of 13:08, 28 November 2005 edit undoAlistairMcMillan (talk | contribs)Administrators33,791 edits Remove dup NTFS links. Remove dup (bordering on spam) diamondcs links.Next edit → | ||
| Line 6: | Line 6: | ||
| ==Filesystem Forks on Microsoft NTFS Filesystems== | ==Filesystem Forks on Microsoft NTFS Filesystems== | ||
| Support for filesystem forks (aka alternate data streams, ADS) were added to |
Support for filesystem forks (aka alternate data streams, ADS) were added to NTFS so that servers running ] could host files for Macintosh users. With ], Microsoft started using alternate data streams in NTFS to store things such as ''author'' or ''title'' file attributes and document thumbnail images. They are also used for tagging an ] downloaded directly from the internet so that a warning message can be displayed when the ] is run. | ||
| ===Security Concerns & Virus Threats=== | ===Security Concerns & Virus Threats=== | ||
| Security experts around the globe have warned of the '''HUGE''' security risk that ADS poses on NTFS file systems. The concerns are centered around the fact that any type of file, including executable files can be stored inside the ADS stream of any other file or directory. For example, a ] executable can be stored in the ADS of a text file. In this example, it would not be possible to find the ] unless you already knew of it's existance. ] provides no method of finding these additional data streams, and does not report the file size of the ADS stream. | |||
| Any file can be embedded in another file's ADS stream very easily. The syntax is as follows: | Any file can be embedded in another file's ADS stream very easily. The syntax is as follows: | ||
| Line 22: | Line 22: | ||
| :* There is also no limit to the file size of the ADS. A ] text file can have an ADS of ]. This can potentially be used by a ] to fill up ] on the ], and you'd never be able to find where it all went. | :* There is also no limit to the file size of the ADS. A ] text file can have an ADS of ]. This can potentially be used by a ] to fill up ] on the ], and you'd never be able to find where it all went. | ||
| :* Currently, very few virus scanners can scan the contents of ADS streams, however there are now a number of third-party tools that can remove ADS streams. | :* Currently, very few virus scanners can scan the contents of ADS streams, however there are now a number of third-party tools that can remove ADS streams. | ||
| :* ADS streams can only exist on |
:* ADS streams can only exist on NTFS file systems. They cannot exist on ] file systems, and they cannot be transferred across ] or through ]. They can however to transferred through ] if both the source and the recipient use NTFS file systems. | ||
| For more information on the security risks of ADS on ] file systems, see . | |||
| ==External links== | ==External links== | ||
| Line 33: | Line 30: | ||
| * by Don Parker writing for SecurityFocus.com | * by Don Parker writing for SecurityFocus.com | ||
| * by Ray Zadjmool writing for WindowsSecurity.com | * by Ray Zadjmool writing for WindowsSecurity.com | ||
| * from Diamond Computer Systems Pty. Ltd. | |||
| * - a tool to search for NTFS alternate data streams | * - a tool to search for NTFS alternate data streams | ||
| * - a tool to search for NTFS alternate data streams | * - a tool to search for NTFS alternate data streams | ||
Revision as of 13:08, 28 November 2005
In computing, a fork is additional data associated with a file system object. Filesystem forks are traditionally associated with Apple's Hierarchical File System (HFS), however they are also available in Microsoft's NTFS filesystem, where they are known as alternate data streams. Other filesystems such as Novell's Novell Storage Services (NSS) and Netware File System (NWFS), and Veritas Software's Veritas File System (VxFS) also support filesystem forks, some pre-dating Microsoft's implementation.
HFS was designed to use resource forks to store metadata about a file that would be used by the graphical user interface (GUI) of the Apple Macintosh, such as a file icon or an image preview. However the feature was not limited to GUI data, so additional uses were found, such as splitting a word processing document into content and presentation, then storing the presentation information in the resource fork. One particular non-obvious use is that prior to Mac OS X, Postscript Type 1 fonts have traditionally been stored entirely in the resource fork, the data fork being empty.
Starting in 1985, NWFS and its successor NSS were designed from the ground up to use a variety of methods to store a file's metadata. Some metadata resides in Novell Directory Services (NDS), some is stored in the directory structure on the disk, and some is stored in, as Novell terms it, 'multiple data streams' with the file itself. Multiple data streams also allow Macintosh clients to attach to and use Netware servers.
Filesystem Forks on Microsoft NTFS Filesystems
Support for filesystem forks (aka alternate data streams, ADS) were added to NTFS so that servers running Windows NT could host files for Macintosh users. With Windows 2000, Microsoft started using alternate data streams in NTFS to store things such as author or title file attributes and document thumbnail images. They are also used for tagging an executable file downloaded directly from the internet so that a warning message can be displayed when the executable file is run.
Security Concerns & Virus Threats
Security experts around the globe have warned of the HUGE security risk that ADS poses on NTFS file systems. The concerns are centered around the fact that any type of file, including executable files can be stored inside the ADS stream of any other file or directory. For example, a virus executable can be stored in the ADS of a text file. In this example, it would not be possible to find the executable file unless you already knew of it's existance. Windows Explorer provides no method of finding these additional data streams, and does not report the file size of the ADS stream.
Any file can be embedded in another file's ADS stream very easily. The syntax is as follows:
type C:\path\to\virus.exe >C:\path\to\textfile.exe:virus.exe
The file can then be run from the Command Line, a Windows Shortcut, or the Windows Registry as follows:
C:\path\to\textfile.exe:virus.exe
Other important points to note are:
- The file size of the ADS stream will not be reported in Windows Explorer or any other program that relies on the Windows API. A 10 byte text file could have a 5 MB ADS stream attached to it, and it would still be reported as 10 bytes.
- There is no way of determining if a file contains an ADS stream. The stream can only be accessed if you know it's name.
- There is also no limit to the file size of the ADS. A 10 byte text file can have an ADS of 2 gig. This can potentially be used by a Trojan to fill up disk space on the hard drive, and you'd never be able to find where it all went.
- Currently, very few virus scanners can scan the contents of ADS streams, however there are now a number of third-party tools that can remove ADS streams.
- ADS streams can only exist on NTFS file systems. They cannot exist on FAT32 file systems, and they cannot be transferred across the web or through E-mail. They can however to transferred through Shared Folders if both the source and the recipient use NTFS file systems.
External links
- Apple Glossary
- Multi-Fork File System
- How To Use NTFS Alternate Data Streams from Microsoft.com
- Windows NTFS Alternate Data Streams by Don Parker writing for SecurityFocus.com
- Hidden Threat: Alternate Data Streams by Ray Zadjmool writing for WindowsSecurity.com
- LADS List Alternate Data Streams - a tool to search for NTFS alternate data streams
- LNS List NTFS Streams - a tool to search for NTFS alternate data streams
- ScanADS Scan Alternate Data Streams - an open source tool to scan NTFS alternate data streams