Home Screenshots | About NTFS Streams | Test your Antivirus | Howto | NTFS Streams on Sourceforge | Download

NTFS-Streams: ADS manipulation tool

NTFS ADS Tool is an utility to reveal, list, delete, show contents, extract/copy hidden files from NTFS Alternate Data Streams.

Magic numbers to determine file type

######## add some ntfs specific magic numbers #####################################################################################
# read more http://sedna-soft.de/summary-information-stream/
# read www.sandersonforensics.com/Files/ZoneIdentifier.pdf
my $magic = <<EOF;
0	string	\\xfe\\xff\\x00\\x00\\x05\\x00\\x02\\x00\\x00	NTFS stream Metadata Win 5.0 (W2k)
0	string	\\xfe\\xff\\x00\\x00\\x05\\x01\\x02\\x00\\x00	NTFS stream Metadata Win 5.1 (XP)
0	string	\\xfe\\xff\\x00\\x00\\x05\\x02\\x02\\x00\\x00	NTFS stream Metadata Win x64/2003
0	string	\\xfe\\xff\\x00\\x00\\x06\\x00\\x02\\x00\\x00	NTFS stream Metadata Win Vista/2008
0	string	\\xfe\\xff\\x00\\x00				NTFS stream Metadata
0	string	[ZoneTransfer]\\x0d\\x0aZoneId=3		NTFS stream Zone.Identifier 3 (Internet) WinXP SP2 and above
0	string	[ZoneTransfer]					NTFS stream Zone.Identifier WinXP SP2 and above
EOF

if ( !-e "$ENV{HOME}/.magic" ) {
    open( MAGIC, ">$ENV{HOME}/.magic" ) or die "cannot open \$HOME/.magic $ENV{HOME} : $!";
    print MAGIC $magic;
    close MAGIC;
}

Zone.Identifier

[Zone.Identifier]

[ZoneTransfer]
ZoneId=3

This simply tags the file as being the result of an internet download (Zone 3 is the Internet).
Trusted - 1, Intranet - 2, Internet - 3, Untrusted - 4
Size always 26 Byte

Summary

It's used for storing DRM or copyright protection info, file metadata and other types of data the user never needs to directly access and is important to be preserved safely. Draw attention at octal \005 as first character in filename - it cannot be easy typed by keyboard (may be MSFT tried so to prevent us from viewing it?). You need to press ALT key and press 5 on numeric keypad then release ALT to type this character.

\005DocumentSummaryInformation

00000000  fe ff 00 00 05 01 02 00  00 00 00 00 00 00 00 00  |................|
00000010  00 00 00 00 00 00 00 00  01 00 00 00 02 d5 cd d5  |................|
00000020  9c 2e 1b 10 93 97 08 00  2b 2c f9 ae 30 00 00 00  |........+,..0...|
00000030  4c 00 00 00 03 00 00 00  01 00 00 00 28 00 00 00  |L...........(...|
00000040  00 00 00 80 30 00 00 00  02 00 00 00 38 00 00 00  |....0.......8...|
00000050  00 00 00 00 00 00 00 00  02 00 00 00 e4 04 00 00  |................|
00000060  13 00 00 00 07 04 00 00  1e 00 00 00 0a 00 00 00  |................|
00000070  6b 61 74 65 67 6f 72 69  65 00 00 00              |kategorie...|
0000007c
\005SebiesnrMkudrfcoIaamtykdDa

\005SummaryInformation is a binary format.

{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} - is always empty. This is probably just a marker

Thumbs.db:encryptable

Thumbs.db:encryptable
Size always 0 Byte

read more about Alternate Data Streams:

http://www.heysoft.de/nt/ntfs-ads.htm Home of LADS
http://technet.microsoft.com/en-us/sysinternals/bb897440.aspx Home of STREAMS.EXE
hijack9.googlepages.com/ntfsdoc.html#concept_file_data
members.cox.net/slatteryt/Streams.html
http://sedna-soft.de/summary-information-stream/
www.infosecwriters.com/texts.php?op=display&id=53
www.ochsenmeier.de/pdf/NtfsAlternateDataStreams.pdf




ntfs-ads based on: GNU/Linux, ntfs-3g, xattr, zenity
tested on ubuntu 8.04, kubuntu 8.04, knoppix 5.3 DVD

SourceForge.net Logo