Support for NTFS alternate data streams (ADS) for Windows

From SEPsesam
Jump to: navigation, search

Copyright © SEP AG 1999-2017. All rights reserved.

Any form of reproduction of the contents or parts of this manual is allowed only with the express written permission from SEP AG. When compiling and designing user documentation SEP AG uses great diligence and attempts to deliver accurate and correct information. However, SEP AG cannot issue a guarantee for the contents of this manual.

Docs latest icon.png Welcome to the latest SEP sesam documentation version 4.4.3. For previous documentation version(s), check Documentation archive.


Overview

SEP sesam provides backup and restore of alternate data streams (ADS) on NTFS volumes and ReFs (ReFs reacquired support for alternate data streams in Windows 8.1 64-bit and Server 2012 R2, stream size limited to 128k). From SEP sesam version 4.4.3, ADS are backed up by default when backing up a NTFS file system. They are automatically restored to any ADS-aware system. If you are restoring a backup with ADS to the system that does not support ADS, a warning about loss of data is issued during restore. This way you are ensured that your NTFS file system data is completely backed up and properly restored.

Note: If you wish to preserve the alternate data streams, you should not move the files with ADS into another file system that does not support ADS nor copy such files to a USB drive, CD-R/RW, or any other non-NTFS drive. If your backup target is not formatted with NTFS, your NTFS metadata (including ADS) will be lost.

If you want to exclude alternate data streams from NTFS backup or restore, see Excluding ADS from backup and Excluding ADS from restore.

What are alternate data streams?

Alternate data streams (ADS) are a unique data-hiding feature of NTFS file systems. A file in NTFS consists of the primary or unnamed data stream where the data is actually contained ($Data), and of alternate data streams that can store additional metadata.

Applications may use ADS for storing file attributes. For example, Windows uses ADS for a number of functions, such as storing the summary information for the updated file or creating the Zone.Identifier (the original security zone) stream for every downloaded file by Internet Explorer. Windows Encrypting File System is using ADS to securely store files. File Classification Infrastructure (FCI) is using ADS for tagging files. Some anti-virus programs are using them to improve scanning performance. Alternate data streams are also used to store non-critical information, such as thumbnails for graphical files, parsing information for program sources, etc.

There is also the downside of ADS: they are used by malicious programs in a variety of ways. Because files with ADS are not detected and therefore not shown in Windows Explorer or in the command prompt (unless you know how to search for them, see ADS detection techniques), they can affect your data.

  • Windows Explorer and the command line dir do not calculate the space used by ADS. This means that when determining the amount of used space, you will get the calculation only for the unnamed data stream. If there are lots of ADS used, you may be backing up a lot more than shown by your system, which may result in slower backups and filling up your storage space.
  • There is no official limit to the size of the content that can be stored in the streams or to the number of streams, therefore the files with ADS can get quite big.
  • Malicious executables and other data can be stored as ADS. The ADS can be executed from the command line by command start. When executed, it still remains hidden because it will appear to run as the original file. If your anti-virus program has not detected a virus stored as ADS, you may be backing up infected data.

ADS detection techniques

Because files with ADS are not detected using native file browsing tools, such as Windows Explorer and the command line dir, the following tools and tecniques can be used to recognize the ADS.

Using command prompt

To display alternate data streams of all the files and directories, use the command

dir /R

To search in all sub-directories and display only files with alternate data streams, use

dir   /s /r | find ":$DATA"

To search in current folder and display only files with alternate data streams, use

dir   /r | find ":$DATA"
Using PowerShell commands (Windows 8 or newer)

Start the PowerShell and use the first command to get the name of the ADS

Get-Item -path {path to the file} -stream *

Then use the Get-Content cmdlet to query its contents

Get-Content -path {path to the file} -stream {stream name} showme
Using Microsoft tool Streams
Reveal NTFS alternate streams by downloading Streams. The Streams tool does not display the contents of ADS, but shows all ADS of the files.

Excluding ADS from backup

ADS are backed up by default, but can be excluded from backup by using a special option in the backup task properties. You should only exclude ADS from backup if you are aware of their usage and the consequences of their exclusion.

  1. To exclude ADS from backup, select your client from the Main Selection -> Tasks -> By clients, and then select the backup task for which you want to exclude alternate data streams. The task properties window is displayed. If you have not yet created a backup task, proceed as described in the Standard Backup Procedure.
  2. Click the Options tab and under the Additional call arguments (Expert options) in the Save options field, enter the following: -o skip_adat. Click OK to save the task with excluded ADS.
  3. Backup skip ADS.png

Excluding ADS from restore

If alternate data streams were backed up, they will be restored by default. ADS can also be excluded from restore by using a special option in the restore wizard.

  1. To exclude ADS from restore, select Activities -> Restore from the SEP sesam GUI menu bar. The New restore task window opens.
  2. Select the save set you want to restore and proceed as described in the Standard Restore Procedure until you get to the last step of the wizard.
  3. Click the Expert options button. The Expert options window is displayed (with opened tab Options). Enter the following in the Restore options field: -o skip_adat. Then click OK to save the ADS exclusion option.
  4. Restore skip ADS.png


  5. To start your restore immediately, click Start. To save the restore task, click Save.

See also

Backup