Alternate data streams occasionally crop up as security concerns because an attacker might use these streams to hide files on your system. These streams are also of interest to law enforcement because people sometimes use them to hide illegal material and records of illegal activities. Most programmers don't understand alternate data streams, and few tools can detect their presence. I'll help you understand how NTFS stores a file and present an application you can use to display the data streams present in a file.
Every file consists of a set of attributes. Oddly enough, a file’s name isn’t part of the file; rather, the filename is a directory entry that points to the actual file. This level of indirection is necessary because Windows 2000 and Windows NT both support links—for details, take a look at the CreateHardLink() function. Think of a directory entry as a pointer—each filename and directory entry tells the file system which file to access. It is possible to have more than one pointer that points to the same data (e.g., you can have more than one directory entry point to the same data). This concept won’t be new to you if you have any experience with UNIX systems. While these pointers have always been present in NT, until Win2K shipped, the API calls to create hard links were available only in the Device Driver Kit (DDK). . . .
Register
