Fork (file system)
Alternate Data Streams are a data structure for holding additional structured data within a file in addition to the main data - a concept to save to a file multiple data streams.
Although beyond use and originally coming from a different environment, the concept is now known forks particularly in the area of the Apple Macintosh with the so-called resource.
In the HPFS file system of OS / 2, this data is called extended attributes (EA).
- 4.1 NTFS ADS
- 4.2 Mac resource forks
Apple Macintosh
In the area of Apple Macintosh files, in addition to the so-called data fork with the main data called a resource fork included. This data structure is used in Apple's file system (MFS, HFS, HFS ) to add metadata from any screen and holds, for example, in a program file resources such as icons, menu contents or program code before or the user data of a font file.
By accompanying texts and images are kept in the resource fork of its program file to a program, the program can be located by their processing with a so-called Resource Editor (language adaptation ).
Common editor software for accessing the contents of resource forks and their processing are:
- ResEdit: a free Apple software with a graphical representation of the data structure and their content ( deprecated )
- Resorcerer: a popular, albeit expensive, commercial application that recognizes more data types than ResEdit
- ResKnife: a free software for Mac OS X
- Rezycle: a Mac OS X tool, extract the resource fork content into separate files and sometimes it transform into more useful, more modern formats can.
Solaris
If a ZFS - based file system is exported with the Solaris kernel -based SMB service, then alternate data streams are mapped to files of the same name in the associated extended attributes directory of the respective base - files.
Windows
The Windows NTFS file system allows so-called Alternate Data Streams (ADS ). With this function, data can be stored invisibly tied by the user to a file. This feature is less well known and the data streams are locate problematic than the resource fork of the Apple Macintosh. Alternate Data Streams are a simplified implementation of the Solaris NFSv4 and available Extended Attributes namespace, which is implemented on the file systems UFS and ZFS.
Use
Microsoft Windows 2000 and Windows XP ADS sub- data streams for storage available in the property page of each file metadata and depending on the application significantly more. On Windows XP (Service Pack 2) also a so-called zone identifier is stored, which makes it possible to recognize in retrospect files that have been downloaded from the Internet. When you download the Internet Explorer since version 3 and also the Mozilla Firefox adds the appropriate information.
Concept
For each file, as many sub - streams can be stored. In practice, this means that you can always file any number of other files assign that are not visible, but - as long as the process takes place within NTFS drives - are moved along with the file and copied. Access to the hidden file fragments found with a colon instead: beispiel.txt: myfile.txt features a to the file beispiel.txt associated data stream named myfile.txt. In addition to files and folders may contain additional data streams, which complicates the detection of unwanted ads.
Security
- Since the ADS streams are invisible to the user and not all antivirus programs are able to search the ads, viruses can exploit this feature.
- Data in ADS are just like normal files executable. In the Startup executable such data can be executed with a start command.
- If files are deleted without residue, ADS streams must also be considered.
- When calculating folder sizes, such as the properties of a folder in Windows Explorer, go to the area occupied by ADS streams place not in the calculation. It can be "hidden" large amounts of data that are hard to find.
In the transition to the Windows Vista operating system, Microsoft has made security the use of ADS- currents severely limited.
Example
Generating an ADS
Type C: \ Windows \ system32 \ calc.exe > C: \ Windows: bad.exe Display of an ADS
Content can be displayed as follows:
Notepad myfile.txt: myads.txt List an ADS
Starting with Windows Vista, the names can be displayed by alternate data streams with the following input:
Dir / r Execute an ADS
To start the file, the following command is sufficient:
Start C: \ Windows: bad.exe Removing an ADS
The removal of an ADS is awkward because the delete command ( del ) for ADS does not work. Therefore, can be easily removed and not individual, but all ads that belong to a file:
Type myfile.txt > myfile.bak del myfile.txt ren myfile.bak myfile.txt A file with ADS can be (for example, FAT32), copied and copied back to a different file system that does not support ADS. However, it go any ADS lost.
Easy does it with the streams command from the Windows Sysinternals Suite:
Streams -d -s *. * recursively removes the file system all ADS streams. The-d option is Delete, the-s option for recursively. Without - d, the streams are only listed.