5 1 0:Support for NTFS alternate data streams (ADS) for Windows
Overview
SEP sesam provides backup and restore of alternate data streams (ADS) on NTFS volumes and ReFs (ReFs reacquired support for alternate data streams in Windows 8.1 64-bit and Server 2012 R2, stream size limited to 128k). From SEP sesam version 4.4.3, ADS are backed up by default when backing up a NTFS file system. They are automatically restored to any ADS-aware system. If you are restoring a backup with ADS to the system that does not support ADS, a warning about loss of data is issued during restore. This way you are ensured that your NTFS file system data is completely backed up and properly restored.
Note: If you wish to preserve the alternate data streams, you should not move the files with ADS into another file system that does not support ADS nor copy such files to a USB drive, CD-R/RW, or any other non-NTFS drive. If your backup target is not formatted with NTFS, your NTFS metadata (including ADS) will be lost.
If you want to exclude alternate data streams from NTFS backup or restore, see Excluding ADS from backup and Excluding ADS from restore.
What are alternate data streams?
Alternate data streams (ADS) are a unique data-hiding feature of NTFS file systems. A file in NTFS consists of the primary or unnamed data stream where the data is actually contained ($Data), and of alternate data streams that can store additional metadata.
Applications may use ADS for storing file attributes. For example, Windows uses ADS for a number of functions, such as storing the summary information for the updated file or creating the Zone.Identifier (the original security zone) stream for every downloaded file by Internet Explorer. Windows Encrypting File System is using ADS to securely store files. File Classification Infrastructure (FCI) is using ADS for tagging files. Some anti-virus programs are using them to improve scanning performance. Alternate data streams are also used to store non-critical information, such as thumbnails for graphical files, parsing information for program sources, etc.
There is also the downside of ADS: they are used by malicious programs in a variety of ways. Because files with ADS are not detected and therefore not shown in Windows Explorer or in the command prompt (unless you know how to search for them, see ADS detection techniques), they can affect your data.
- Windows Explorer and the command line dir do not calculate the space used by ADS. This means that when determining the amount of used space, you will get the calculation only for the unnamed data stream. If there are lots of ADS used, you may be backing up a lot more than shown by your system, which may result in slower backups and filling up your storage space.
- There is no official limit to the size of the content that can be stored in the streams or to the number of streams, therefore the files with ADS can get quite big.
- Malicious executable and other data can be stored as ADS. The ADS can be executed from the command line by command start. When executed, it still remains hidden because it will appear to run as the original file. If your anti-virus program has not detected a virus stored as ADS, you may be backing up infected data.
ADS detection techniques
Because files with ADS are not detected using native file browsing tools, such as Windows Explorer and the command line dir, the following tools and techniques can be used to recognize the ADS.
- Using command prompt
To display alternate data streams of all the files and directories, use the command
dir /R
To search in all sub-directories and display only files with alternate data streams, use
dir /s /r | find ":$DATA"
To search in current folder and display only files with alternate data streams, use
dir /r | find ":$DATA"
- Using PowerShell commands (Windows 8 or newer)
Start the PowerShell and use the first command to get the name of the ADS
Get-Item -path {path to the file} -stream *
Then use the Get-Content cmdlet to query its contents
Get-Content -path {path to the file} -stream {stream name} showme
- Using Microsoft tool Streams
Reveal NTFS alternate streams by downloading Streams. The Streams tool does not display the contents of ADS, but shows all ADS of the files.
Excluding ADS from backup
ADS are backed up by default, but can be excluded from backup by using a special option in the backup task properties. You should only exclude ADS from backup if you are aware of their usage and the consequences of their exclusion.
- To exclude ADS from backup, select your client from the Main Selection -> Tasks -> By Clients, and then double-click the backup task for which you want to exclude alternate data streams. The backup task properties window is displayed. If you have not yet created a backup task, see Creating a Backup Task.
- Click the Options tab and under the Additional call arguments in the Backup options (previously Save options) field, enter the following:
- Click OK to save the task with excluded ADS.
-o skip_adat
Excluding ADS from restore
If alternate data streams were backed up, they will be restored by default. ADS can also be excluded from restore by using a special option in the restore wizard.
- To exclude ADS from restore, open the Restore Assistant in the browser.
- Select the restore type and then select the option Advanced View. Click Next.
- Proceed as described in the web restore procedure until you get to the Options window.
- In the Options window, click the Advanced restore options and then enter the following in the Options for restore field:
''-o skip_adat''
- Click Next to save the ADS exclusion option and proceed with restore.
- To start your restore immediately, click Start restore. To save the restore task, click Save restore task.
Note | |
A restore task can be scheduled like any other task. If you want to add a restore task to the schedule, see Scheduling Restore. |
See also
Standard Backup Procedure – Restore Assistant – Backup – Restore