Friday, September 26, 2008

Accessing NTFS Alternate Data Streams with C#

CodeProject - Accessing alternative data-streams of files on an NTFS volume

“Since NT 3.1, the NTFS file system has supported multiple data-streams for files. There has never been built-in support for viewing or manipulating these additional streams, but the Windows API functions include support for them with a special file syntax: Filename.ext:StreamName. Even Win9x machines can access the alternative data streams of files on any NTFS volume they have access to, e.g. through a mapped drive. Because the Scripting.FileSystemObject and many other libraries call the CreateFile API behind the scenes, even scripts have been able to access alternative streams quite easily (although enumerating the existing streams has always been tricky).

In .NET, however, it seems someone decided to add some checking to the format of filenames. If you attempt to open a FileStream on an alternative stream, you will get a "Path Format not supported" exception. I have been unable to find any class in the CLR that provides support for alternative data streams, so I decided to roll my own.

Using the Classes

The AlternateDataStreamInfo class represents the details of an individual stream, and provides methods to create, open or delete the stream.

The static FileSystem class provides methods to retrieve the list of streams for a file, retrieve a specific stream from a file, determine whether a stream exists, and delete a specific stream.

All methods on the FileSystem class offer overloads which accept either a path or a FileSystemInfo object. The overloads which accept a FileSystemInfo object can also be invoked as extension methods.


Thinking about, accessing, looking at, etc Alternate Data Streams (ADS) in NTFS has been something I’ve been kind of interested in (in a ultralow background thread kind of way). Being in the EDD field, any and all metadata, be it in the file or external in the file system is naturally interesting to me. ADS is like one of those open secrets, where it’s been “there” since forever, but not thought about much. I wonder how many forensic/EDD/AV/Spyware/etc tools look into and a file’s ADS? (Probably many, I would hope…).

And beyond that, like Microsoft does with it’s “Downloaded from the Internet” blocking usage of ADS, I think it would be pretty cool to use ADS to instrument files with industry or usage specific metadata. As long as the file is moved between NTFS file volumes that metadata will always be there with the file. And thereby it would also be easy to clean or remove that metadata…


Related Past Post XRef:
CopyFileEX ALL API Example
"Practical Guide to Alternative Data Streams in NTFS"

No comments: