file streams ntfs
streams can store extra info of files
Stream type specifier values always start with the dollar sign ($) symbol
Stream Type Description
::$ATTRIBUTE_LIST Contains a list of all attributes that make up the file and identifies where each attribute is located.
::$BITMAP A bitmap used by indexes to manage the b-tree free space for a directory. The b-tree is managed in 4 KB chunks (regardless of cluster size) and this is used to manage the allocation of these chunks. This stream type is present on every directory.
::$DATA Data stream. The default data stream has no name. Data streams can be enumerated using the FindFirstStreamW and FindNextStreamW functions.
::$EA Contains Extended Attributes data.
::$EA_INFORMATION Contains support information about the Extended Attributes.
::$FILE_NAME The name of the file, in Unicode characters. This includes the short name of the file as well as any hard links.
::$INDEX_ALLOCATION The stream type of a directory. Used to implement filename allocation for large directories. This stream represents the directory itself and contains all of the data of the directory. Changes to streams of this type are logged to the NTFS change journal. The default stream name of an $INDEX_ALLOCATION stream type is $I30 so "DirName", "DirName::$INDEX_ALLOCATION", and "DirName:$I30:$INDEX_ALLOCATION" are all equivalent.
::$INDEX_ROOT This stream represents root of the b-tree of an index. This stream type is present on every directory.
::$LOGGED_UTILITY_STREAM Similar to ::$DATA but operations are logged to the NTFS change journal. Used by EFS and Transactional NTFS (TxF). The ":StreamName:$StreamType" pair for EFS is ":$EFS:$LOGGED_UTILITY_STREAM" and for TxF is ":$TXF_DATA:$LOGGED_UTILITY_STREAM".
::$OBJECT_ID An 16-byte ID used to identify the file for the link-tracking service.
::$REPARSE_POINT The reparse point data.
using alternate data stream to hide text:
from cmd run
ex : notepad test.txt:secret.txt
None of these hidden files will affect the other, or change the main file. use the command line to access the hidden data. that stream isn’t exactly part of the file… you can’t copy your file to another location and access the streams over there.
view sterams using
read using cmd
more < FileName:StreamName
write using cmd
echo “secret texts” > FileName.txt:StreamName