So…<\/p>\n
First, let’s test how HMFT shows ADS-related data:<\/p>\n
- \n
- First let’s create a few sample ADSs<\/li>\n<\/ul>\n
echo > f:\\test\r\necho > f:\\test:ads\r\necho > f:\\test:ads2\r\necho > f:\\test:ads3<\/pre>\n
- \n
- Next, we run hmft over the drive and saving it to a file<\/li>\n<\/ul>\n
hmft -l f: f_mft.txt<\/pre>\n
- \n
- Finally, let’s see the content of the file – scroll down to see file name, first unnamed DATA attribute that is then followed by 3 named DATA attributes – ADS names:<\/li>\n<\/ul>\n
[FILE]\r\n SignatureD = 1162627398\r\n OffsetToFixupArrayW = 48\r\n NumberOfEntriesInFixupArrayW = 3\r\n LogFileSequenceNumberQ = 4204637\r\n SequenceValueW = 1\r\n LinkCountW = 1\r\n OffsetToFirstAttributeW = 56\r\n FlagsW = 1\r\n UsedSizeOfMFTEntryD = 448\r\n AllocatedSizeOfMFTEntryD = 1024\r\n FileReferenceToBaseRecordQ = 0\r\n NextAttributeIdD = 6\r\n --\r\n\r\n RESIDENT ATTRIBUTE\r\n AttributeTypeIdentifierD = 16\r\n LengthOfAttributeD = 96\r\n NonResidentFlagB = 0\r\n LengthOfNameB = 0\r\n OffsetToNameW = 0\r\n FlagsW = 0\r\n AttributeIdentifierW = 0\r\n --\r\n SizeOfContentD = 72\r\n OffsetToContentW = 24\r\n --\r\n MFTA_STANDARD_INFORMATION\r\n CreationTimeQ = 129938289425003390\r\n ModificationTimeQ = 129938289502223390\r\n MFTModificationTimeQ = 129938289502223390\r\n AccessTimeQ = 129938289425003390\r\n FlagsD = 32\r\n MaxNumOfVersionsD = 0\r\n VersionNumberD = 0\r\n ClassIdD = 0\r\n OwnerIdD = 0\r\n SecurityIdD = 261\r\n QuotaQ = 0\r\n USNQ = 0\r\n CreationTime (epoch) = 1349355342\r\n ModificationTime (epoch) = 1349355350\r\n MFTModificationTime (epoch) = 1349355350\r\n AccessTime (epoch) = 1349355342\r\n --\r\n\r\n RESIDENT ATTRIBUTE\r\n AttributeTypeIdentifierD = 48\r\n LengthOfAttributeD = 104\r\n NonResidentFlagB = 0\r\n LengthOfNameB = 0\r\n OffsetToNameW = 0\r\n FlagsW = 0\r\n AttributeIdentifierW = 2\r\n --\r\n SizeOfContentD = 74\r\n OffsetToContentW = 24\r\n --\r\n MFTA_FILE_NAME\r\n ParentID6 = 5\r\n ParentUseIndexW = 5\r\n CreationTimeQ = 129938289425003390\r\n ModificationTimeQ = 129938289425003390\r\n MFTModificationTimeQ = 129938289425003390\r\n AccessTimeQ = 129938289425003390\r\n CreationTime (epoch) = 1349355342\r\n ModificationTime (epoch) = 1349355342\r\n MFTModificationTime (epoch) = 1349355342\r\n AccessTime (epoch) = 1349355342\r\n AllocatedSizeQ = 0\r\n RealSizeQ = 0\r\n FlagsD = 32\r\n ReparseValueD = 0\r\n LengthOfNameB = 4\r\n NameSpaceB = 3\r\n FileName<\/strong> = test<\/span><\/strong>\r\n --\r\n\r\n RESIDENT ATTRIBUTE\r\n AttributeTypeIdentifierD = 128\r\n LengthOfAttributeD = 40\r\n NonResidentFlagB = 0\r\n LengthOfNameB = 0\r\n OffsetToNameW = 24\r\n FlagsW = 0\r\n AttributeIdentifierW = 1\r\n --\r\n SizeOfContentD = 13\r\n OffsetToContentW = 24\r\n --\r\n MFTA_DATA<\/strong>\r\n --\r\n\r\n RESIDENT ATTRIBUTE\r\n AttributeTypeIdentifierD = 128\r\n LengthOfAttributeD = 48\r\n NonResidentFlagB = 0\r\n LengthOfNameB = 3\r\n OffsetToNameW = 24\r\n FlagsW = 0\r\n AttributeIdentifierW = 3\r\n --\r\n SizeOfContentD = 13\r\n OffsetToContentW = 32\r\n --\r\n MFTA_DATA<\/strong>\r\n AttributeName<\/strong> = ads<\/span><\/strong>\r\n --\r\n\r\n RESIDENT ATTRIBUTE\r\n AttributeTypeIdentifierD = 128\r\n LengthOfAttributeD = 48\r\n NonResidentFlagB = 0\r\n LengthOfNameB = 4\r\n OffsetToNameW = 24\r\n FlagsW = 0\r\n AttributeIdentifierW = 4\r\n --\r\n SizeOfContentD = 13\r\n OffsetToContentW = 32\r\n --\r\n MFTA_DATA<\/strong>\r\n AttributeName<\/strong> = ads2<\/span><\/strong>\r\n --\r\n\r\n RESIDENT ATTRIBUTE\r\n AttributeTypeIdentifierD = 128\r\n LengthOfAttributeD = 48\r\n NonResidentFlagB = 0\r\n LengthOfNameB = 4\r\n OffsetToNameW = 24\r\n FlagsW = 0\r\n AttributeIdentifierW = 5\r\n --\r\n SizeOfContentD = 13\r\n OffsetToContentW = 32\r\n --\r\n MFTA_DATA<\/strong>\r\n AttributeName<\/strong> = ads3<\/span><\/strong><\/pre>\n<\/p>\n
- \n
- Knowing all this, we can quickly put together a perl script that can walk through the data and pick up all ADS from the output file:<\/li>\n<\/ul>\n
use strict;\r\nmy $f='';\r\nmy $l='';\r\nwhile (<>)\r\n{\r\n\u00a0 s\/[\\r\\n]+\/\/g;\r\n\u00a0 $f = $1 if \/FileName = (.+)$\/;\r\n\u00a0 print \"$f:$1\\n\" if ($l =~ \/MFTA_DATA\/&&\/AttributeName = (.+)$\/);\r\n\u00a0 $l = $_;\r\n}<\/pre>\n- \n
- Save it as ads.pl<\/strong><\/li>\n
- Run it using the following syntax<\/li>\n<\/ul>\n
perl ads.pl <hmft output><\/pre>\n
e.g.:<\/p>\n
perl ads.pl f_mft.txt<\/pre>\n
The output for the example file system is:<\/p>\n
$Repair:$Config\r\ntest:ads\r\ntest:ads2\r\ntest:ads3<\/pre>\n
![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/10\/HMFT_finding_ADS_1-300x202.png\" "\\"HMFT_finding_ADS_1\\"")
<\/a><\/p>\nI suggest you running a test on your local drives\u00a0 – you are probably going to be quite surprised \ud83d\ude42<\/p>\n
Not only you may find plenty of files with ADS, but you may also get to know less-known good ADSs – many of them I have listed previously<\/a> and a few more e.g. internal ADSs used by OS:<\/p>\n
- \n
- $Info in $UpCase:$Info<\/li>\n
- $Config in $Repair:$Config<\/li>\n
- $Max in $UsnJrnl:$Max<\/li>\n<\/ul>\n
and also MAC-related streams (resource forks) added by Safari\u00a0 (kinda equivalents of IE’s Zone.Identifier)<\/p>\n
- \n
- com.apple.quarantine<\/li>\n
- com.apple.metadata:kMDItemWhereFroms<\/li>\n<\/ul>\n
Note on a small bug here: with a larger number of ADSs the ads.pl script will show incorrect entries as ADS attributes that don’t fit within one FILE record will be stored elsewhere and w\/o FILENAME attribute, hence the associated file name will be incorrect. Some may be also stored under ATTRIBUTE_LIST that is not supported by HMFT yet.<\/p>\n","protected":false},"excerpt":{"rendered":"
Finding Alternate Data Streams\u00a0 (ADS) on the whole drive may be quite time consuming so in this quick post I will show you how to do it faster with HMFT. As you probably know, the latest version of HMFT supports … Continue reading
- Run it using the following syntax<\/li>\n<\/ul>\n
- Save it as ads.pl<\/strong><\/li>\n
- Knowing all this, we can quickly put together a perl script that can walk through the data and pick up all ADS from the output file:<\/li>\n<\/ul>\n
- Finally, let’s see the content of the file – scroll down to see file name, first unnamed DATA attribute that is then followed by 3 named DATA attributes – ADS names:<\/li>\n<\/ul>\n
- Next, we run hmft over the drive and saving it to a file<\/li>\n<\/ul>\n