NTFS Alternate Data Streams
---------------------------
The existence of NTFS Alternate Data Streams and their potential for
misuse has recently been publicised in various NT related newsgroups and
mailing lists. These streams can be used to hide the existence of data of
any size and type (eg confidential data, pornographic images, etc) which
may be damaging to your organization.
Legitimate uses of streams have also been included in recent editions of
some UK PC magazines.
The current problem with streams is that many Windows NT users (including
administrators) are not aware that streams exist and even if they know of
them have no simply method of detecting them. Microsoft does not provide
tools for reporting what streams exist !
MARCH Information Systems has developed a command line utility which
solves the problem of hidden data by checking a machine for the
existence of non-default streams (a 'data' and 'security descriptor'
stream exists on every NTFS file and directory). The utility searches an
NTFS disc locating and reporting the size and, more importantly, the name
of every alternate data stream detected. If desired it will even report
the sizes of the standard streams.
The FREE utility, together with a paper giving further details of the
threats posed by streams, can be download from
Regards,
Charles White | Tel: +44 (0)118 930 4224
March Information Systems Ltd., | Fax: +44 (0)118 930 5802
14 Brewery Court, High Street, Theale, |
Berkshire, England, RG7 5AJ | Email: c.white@march.co.uk
<Security Manager & EventLog Manager - NT & UNIX Security solutions>