Introduction to NTFS data streams

What Is NTFS data stream?
Before introducing NTFS data streams, let's take a brief look at the NTFS file system. NTFS is a series of operating systems supported by Microsoft Windows NT kernel. It is a disk format specially designed for the management security features such as network and disk quotas and file encryption. NTFS is more stable, secure, and powerful than the FAT file system. To convert a FAT file system to an NTFS file system, enter the "convert partition drive letter:/fs: ntfs" in the "command prompt ", to convert the file system of the partition to NTFS.

NTFS exchange Data stream (ADS) is a feature of the NTFS disk format. In the NTFS file system, each file can have multiple Data Streams, in other words, in addition to the main file stream, many non-main file streams can also be hosted in the main file stream. It uses resource derivation to maintain file-related information. Although we cannot see the data stream file, it actually exists in our system.
 

So why can't we see the data stream files in the system? Is it an obstacle that Windows has deliberately set to prevent accidental deletion of data stream files? The answer is no. We cannot see NTFS Data Stream files in the system because many tools in Windows do not support data stream files very well, just like "Resource Manager ", we cannot see changes to the data stream files in resource manager.
 

Create an instance of NTFS data stream
I believe many readers who have read the above articles are still confused about the NTFS data stream. It doesn't matter. Let's take a look at the NTFS data stream through examples.

Creating a host file is a common file. It is any type of file that can be normally displayed, run, and edited in Windows. Create a text document in txt format and use it as the host file. Run notepad and enter some content, for example, test-host file, and save it as C: estsuzhu.txt. Right-click suzhu.txt and select "properties". The file size is 16 bytes.
 

After the host file of the associated data stream is created, create a data stream file and associate it with the host file to see what changes will happen to the host file. Click "start"> "run", Enter cmd to run the "command prompt", switch to the C: est directory, and enter the command "echo" test -- Data Stream file "> suzhu.txt: shujuliu.txt ". Region.

 
Let's go back to C: Example. In progress? We open suzhu.txt, And the content is not changed. It is still "test-host file", and the file size is still 16 bytes.

Where is the data stream file shujuliu.txt? Run "command prompt" to make it visible. In the "command prompt", enter the command "notepad suzhu.txt: shujuliu.txtcharacter". In the displayed program, the contents of the data stream file shujuliu.txt are displayed. When we use commands such as type and edit in the "command prompt" to edit the data stream file, an error will occur, because the "command prompt" does not support data stream files well. Although notepad can open a data stream file, it does not indicate that it fully supports NTFS data streams, which we will find when "saving as" a data stream file.

In addition to binding the data stream file to the host file, you can also create separate data stream files. In the "command prompt", enter "echo" test -- Data Stream file ">: shujuliu2.txt.pdf. In this example, a data stream file named shujuliu2.txt is created, this file cannot be seen whether it is used in "Resource Manager" or "command prompt. It can be said that this file is invisible in the system. We can only know its existence by entering the "notepad: shujuliu2.txt" command. Even if we know its existence, we cannot delete it, because the "del" command in the command prompt has no effect. The only way to delete it is to delete its upper-level directory. If a separate data stream file exists in the root directory of the disk, it will be very painful to delete it.

The Data Stream files in this article are all examples of text documents. The data stream files are not limited to text documents. Any files can be used as Data Stream files, including executable programs, images, sound and so on. This feature allows Trojans to hide themselves from the Resource Manager through the NTFS data stream.
 

This may cause at least two hidden risks: first, hackers may hide hacking tools through data streams after intrusion, and of course, virus files are hidden after a virus attack; and second, through some channels, enables automatic execution of data stream files to hide Trojans.

If a trojan hides itself in a system file or system root directory, it is very troublesome to discover or delete them. Fortunately, we have ready-made tools. stov security lab has released a green tool dedicated to scanning and killing NTFS data streams. Any individual user can use it for free and without any restrictions.

Http://www.stovesoft.com
Software: http://stovesoft.com/index.php? _ M = mod_product & _ a = view & p_id = 153