Thursday, February 12, 2009

Finding alternate data streams with AlternateStreamView

NTFS system has a feature that allows to add multiple streams in addition to the main file stream. When you open or view the file, only the main file stream is visible, while other additional streams are hidden from the user.

Here's 3 examples of alternate streams usage in Windows operating system:
  1. Favorites of Internet Explorer: When You add a Web site link into your 'Favorites', a .url file containing the url and description is created. However, if the Web site also have an icon (favicon), the icon is saved as alternate stream for the same url file. The stream name of the icon is :favicon:$DATA

  2. Downloaded files of Internet Explorer: When you download and save a file with Internet Explorer, it automatically add a zone information for the saved file. This zone information is used for identifying the file as downloaded file from the Internet. The stream name in this case is :Zone.Identifier:$DATA

  3. Summary information of files: When you right-click on a file in Explorer and go to the 'Summary' tab, you can add summary information for the file, like title, subject, author, and so on. This summary information is also saved into alternate stream. The stream name in this case is SummaryInformation:$DATA.

In addition to the legitimate usage of alternate streams, this technique may also be used by Viruses/Trojans/Spywares for saving data and hiding it from the user.

AlternateStreamView is a new GUI tool that allows you to easily scan your NTFS drive, and find all hidden alternate streams stored in the file system. After scanning and finding the alternate streams, you can extract these streams into the specified folder, delete unwanted streams, or save the streams list into text/html/csv/xml file.

For more information and download link, click here


Blogger Claus said...

Sweet utility!

Great addition to the lineup!

I know there are a number of CLI tools to do this but the GUI is so much more convenient!

Question: Could (would) you be willing to consider making a micro-sized quick-link at the top of each tool's page for a download jump ( Microsoft Sysinternals tools pages).

I know that might keep some folks from scrolling down the page and reading all the changes and program details...but for hard-core users of your tools, having a quick jump link at the top of the page would make it faster to grab and update a tool when updates are offered.

Just a humble suggestion.

We deeply appreciate all you do!


Claus V.

February 12, 2009 9:41 AM  

Post a Comment

<< Home