Gee Gee - 1 year ago 72
C++ Question

NTFS: Multiple $DATA attributes, with the same name

I am aware that NTFS supports ADS, which means multiple data streams, while each one has a different name. However, I am currently trying to parse my volume and a specific MFT record owns 3 unnamed, unique (different in size and data runs) data streams.
The file is filled with 256mb of "~" (single character), and all the data streams were found in related MFT Records which were collected the attributes list attribute. In a normal "flow", I would parse the data runs of the desired stream, and read from the desired offset the desired length. How am I supposed to deal with this situation? (== read the file's content)

Answer Source

Each Alternate Data Streams (ADS) should have an unique name. It's right that you have several attributes with type $DATA, but it should have different names. E.g. if some file multiple.txt has ADS with name overhere it should have the following $DATA attributes. Sample from here:

Type: $DATA (128-1)   Name: $Data      Resident   size: 15
Type: $DATA (128-5)   Name: overhere   Resident   size: 26

The full name of 128-1 is multiple.txt and the full name of 128-5 is multiple.txt:overhere

Other unnamed attributes typically are:

Type: $STANDARD_INFORMATION (16-0)   Name: N/A   Resident   size: 72
Type: $FILE_NAME (48-2)              Name: N/A   Resident   size: 90
Type: $OBJECT_ID (64-3)              Name: N/A   Resident   size: 16

Try the istat Sleuthkit utility for your MFT record:

istat -f ntfs <SourceName> <ID>

With the other tools from collection you will be able to copy the content of these data streams.

It's an open source, so you could check the details of NTFS implementation and to investigate how the data retrieved from the $DATA.

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download