Home Navigation

Recent Events Recent Events
Upcoming Courses Upcoming Courses

Contact Information

TELEPHONE:

Sales & Technical Support
(800) 852-0300

EMAIL:

info@forensics-intl.com
Technical Support:
support@forensics-intl.com

Information

Windows NT Data Streams Defined

In DOS and Microsoft Windows 9x, a file contains just one type of data, i.e., data is stored in the form of files. The files can be programs, graphic files, databases, word processing documents, spreadsheets or other file types. Files also are used to store these types of data with Microsoft Windows NT on an NTFS partition. However, starting with Windows NT version 3.51, Microsoft introduced a data storage concept called data streams. Data streams allow multiple forms of data to be associated with a file. This means there can be any number of program files, graphics files, word processing documents, databases, spreadsheets, or any other types of data associated with a given file. This changes some of the rules concerning computer security issues and computer forensics investigations.

The following is an example to help make the data stream concept clear. The example shows a file called INFO with four data streams:

Stream Identifier Content:

1 INFO None
2 INFO:Name NTI
3 INFO:Address 13386 International Parkway
4 INFO:Phone 800-852-0300

Each of these data streams is independent. There does not have to be any relationship between the data in any of the streams. One stream could contain a program file; another could contain a graphics file; and another could contain a database or anything else for that matter.

  • The first data stream is known as "no-name" because it takes the name of the file and no additional name is given the stream itself. In this case, it has no content, meaning there is no data associated with it, but there could.

  • The second data stream is known as "Name" and its content is New Technologies Inc.

  • The third data stream is known as "Address" and its content is 2075 NE Division Street.

  • The fourth data stream is known as "Phone" and its content is 503-661-6912.

Data streams are identified by their file names along with a colon separating the file name and the stream identifier. In this case, the second stream is known as INFO:Name; the third stream is known as INFO:Address; and the fourth stream is known as INFO:Phone. Not all software can recognize data streams. In fact, none of Microsoft Office products recognize data streams. Interestingly, Microsoft's Notepad recognizes data streams when the data stream is specified from the command prompt or run line but does not recognize data streams when the data stream is requested from Notepad's dialog box. Also be aware that some computer viruses make use of data streams to infect computers.

Computer security specialists need to be aware of data streams because Windows NT file listing programs are silent about data streams. In other words, Windows NT DIR and Windows NT EXPLORER do not list data streams. Listing the file INFO, using either of these programs, would show INFO as having 0 bytes because, in this instance, the first stream has no data. Neither of these programs will give any indication of the other data streams associated with the file INFO. To view the actual data in the other streams, you must already know that the data streams exist. If you know that the data streams exist, you can go to a Windows NT Command prompt and issue a command such as MORE < INFO:Name. In this case, that would display the content of the second data stream, which is New Technologies Inc.

Fortunately, NTI's computer forensics tools recognize and process data streams. NTI also covers data streams in detail in its 5 Day Computer Forensics Training Course and software is provided to the participants which will identify and process data associated with data streams. So any time you see a ":" as part of a file name in a Windows NT file listing it is probable that you have a file with multiple data streams.