NTFS Streams Overview

NTFS (a native file system for all "NT-based" operating systems) has a little-known and usually underestimated feature, called alternate data streams. Each file and directory on NTFS-formatted volume may have an unlimited number of data streams. Each stream may be of any size, provided there is enough free space on the volume. Every file on the volume always contains at least one stream, but may also contain other streams. Unlike the first, default stream, which is unnamed, other file streams have names, which follow the same rules, as defined for naming files and folders on NTFS volume.

By convention, to refer to a specific named stream within a file, add the colon followed by a stream name to a full file name. For example, if we have a named stream "AltStream" in a file "c:\temp\file.bin", then its full name is

c:\temp\file.bin:AltStream
      

This named stream can almost be considered as a separate file, which has its own attributes, such as size, sparse-ness and so on. At the same time, it shares several attributes, such as security descriptor, with its "parent" file.

In addition, the system automatically copies or moves all file's streams each time a file is copied or moved.

This all is good. The bad thing is Windows (up to the very recent versions) does not support streams in its user interface well. Windows Explorer and Command Prompt are completely unaware of streams. They will not show you file's streams, they will not even show you the size they occupy on your disk! In fact, you may be quite surprised to see how much space is "wasted" in this obscure and little-documented part of the file system.

In addition, if you copy or move a file to a volume which is not formatted with an NTFS, all alternate data streams are silently deleted. The system also does not warn you if you delete a file with alternate data streams. (Note: this has changed a bit in Windows Vista: at least the system now warns you if you copy a file with named streams to a volume that does not support streams).

NTFS's alternate data streams is a not widely used feature, although, it is slowly becoming more popular. Several common usage scenarios are provided below:

• Microsoft Internet Explorer creates a small (usually 26 bytes long) stream called "Zone.Identifier" in each file it downloads from the "outside" world. In its file it records a zone identifier, naming the original zone a file came from. This stream is later used by Windows Explorer, for example, to warn you that you are about to launch a downloaded file. As soon as you open file's properties and click the "Unblock" button, the stream is deleted.
• Several image viewing utilities are known to create a named stream and save a thumbnail version of the image inside each catalogued image file on your disk.
• Several anti-virus products store the information about last scan time and results in each scanned file so they can subsequently quickly access it without the burden of maintaining complex database.
• There have been reports of several malware and viruses that use the alternate data streams NTFS feature. Although the Windows Explorer and Windows Command Prompt are unaware of streams, Win32 API supports streams quite well. For example, a program or a script may start any named data stream for execution. Thus, a zero-sized file may actually contain quite a big executable in one of its streams, or the executable may be disguised as a simple harmless text file. Luckily, most anti-virus products today are capable of scanning NTFS streams and locating viruses and malware in them. Hex Editor Neo can also be used to locate named streams on your computer.

Streams Support in Hex Editor Neo

Hex Editor Neo provides a rich toolset to work with NTFS alternate data streams. Most of the tools are available through the NTFS Streams Tool Window.

The editor automatically detects and displays all named streams of each opened file. It allows you to open any stream for viewing or editing, delete a stream or create a new stream. It also implements a Find Streams function, which allows you to locate files, satisfying a given criteria, that contain one or more named streams of data. The result window then allows you to open them in the editor, or delete them.

File Attributes Tool Window displays the total number of streams in a file, as well as three file size values: the size of the main, unnamed stream - this is a size reported by Windows Explorer and most other programs; the size of all named streams; and the total size occupied by a file, that is, a sum of two previous values.

Find in Files supports searching and replacing a pattern in named data streams.