Source:Support for NTFS alternate data streams (ADS) for Windows

From SEPsesam
Revision as of 17:04, 7 September 2016 by Sta (talk | contribs)

Copyright © SEP AG 1999-2024. All rights reserved.

Any form of reproduction of the contents or parts of this manual is allowed only with the express written permission from SEP AG. When compiling and designing user documentation SEP AG uses great diligence and attempts to deliver accurate and correct information. However, SEP AG cannot issue a guarantee for the contents of this manual.

Docs latest icon.png Welcome to the latest SEP sesam documentation version 4.4.3. For previous documentation version(s), check Documentation archive.


Overview

SEP sesam provides backup and restore of alternate data streams (ADS) for Windows on NTFS volumes. From SEP sesam version 4.4.3, ADS are backed up by default when backing up a NTFS file system. They are automatically restored to any ADS-aware system. If you are restoring a backup with ADS to the system that does not support ADS, a warning about loss of data is issued during restore. This way you are ensured that your NTFS file system data is completely backed up and properly restored.

Note: If you wish to preserve the alternate data streams, you should not move the files with ADS into another file system that does not support ADS nor copy such files to a USB drive, CD-R/RW, or any other non-NTFS drive, nor transfer your data via FTP/HTTP. If your backup target is not formatted with NTFS, your NTFS metadata (including ADS) will be lost.}}

If you want to exclude alternate data streams from NTFS backup, see the procedure Excluding ADS from backup.

What are alternate data streams?

Alternate data streams (ADS) are a unique data-hiding feature of NTFS file systems. A file in NTFS consists of the primary or unnamed data stream where the data is actually contained ($Data), and of alternate data streams that can store additional metadata.

Applications may use ADS for storing file attributes. For example, Windows uses ADS for a number of functions, such as storing the summary information for the updated file or creating the Zone.Identifier (the original security zone) stream for every downloaded file by Internet Explorer. Windows Encrypting File System is using ADS to securely store files. File Classification Infrastructure (FCI) is using ADS for tagging files. Some anti-virus programs are using them to improve scanning performance. Alternate data streams are also used to store non-critical information, such as thumbnails for graphical files, parsing information for program sources, etc.

There is also the downside of ADS: they are used by malicious programs in a variety of ways. Because files with ADS are not detected and therefore not shown in Windows Explorer or in the command prompt (unless you know how to search for them, see ADS detection techniques), they can affect your data.

  • Windows Explorer and the command line dir do not calculate the space used by ADS. This means that when determining the amount of used space, you will get the calculation only for the unnamed data stream. If there are lots of ADS used, you may be backing up a lot more than shown by your system, which may result in slower backups and filling up your storage space.
  • There is no official limit to the size of the content that can be stored in the streams or to the number of streams, therefore the files with ADS can get quite big.
  • Malicious executables and other data can be stored as ADS. The ADS can be executed from the command line by commands like type or start. When executed, it still remains hidden because it will appear to run as the original file. If your anti-virus program has not detected a virus stored as ADS, you may be backing up infected data.

ADS detection techniques

Because files with ADS are not detected using native file browsing tools, such as Windows Explorer and the command line dir, the following tools and tecniques can be used to recognize the ADS.

Using command prompt

To display alternate data streams of all the files and directories, use the command

dir /R

To search in all sub-directories and display only files with alternate data streams, use

dir   /s /r | find ":$DATA"

To search in current folder and display only files with alternate data streams, use

dir   /r | find ":$DATA"
Using PowerShell commands (Windows 8 or newer)

Start the PowerShell and use the first command to get the name of the ADS

Get-Item - path {path to the file} - stream *

Then use the Get-Content cmdlet to query its contents

Get-Content - path {path to the file} - stream showme
Using Microsoft tool Streams
Reveal NTFS alternate streams by downloading Streams. The Streams tool does not display the contents of ADS, but shows all ADS of the files.

Excluding ADS from backup

ADS are backed up by default, but can be excluded from backup by using a special option in the backup task properties. You should only exclude ADS from backup if you are aware of their usage.

  1. To exclude ADS from backup, select your client from the Main Selection -> Tasks -> By clients, and then select the backup task for which you want to exclude alternate data streams. The task properties window is displayed. If you have not yet created a backup task, proceed as described in the Standard Backup Procedure.
  2. Click the Options tab and under the Additional call arguments (Expert options) in the Save options field, enter the following: -o no_adat. Click OK to save the task with excluded ADS.

See also

Backup