Fork (file system)

from Wikipedia, the free encyclopedia
Important information is missing from this article or section. Help Wikipedia by researching and pasting it .

Forks are a data structure for storing additional structured data within a file in addition to the main data - a concept for storing multiple data streams in one file.

Although it was also used outside of the world and originally came from a different environment, the concept is now particularly well-known from the Apple Macintosh area with the so-called Resource forks .

In the HPFS file system of OS / 2 this data is called Extended Attributes (EA), in the NTFS file system of Windows it is called Alternate Data Streams .

Apple Macintosh

With the Apple Macintosh , files can contain a so-called resource fork in addition to the so-called data fork with the main data . This data structure is used in Apple's file systems ( MFS , HFS , HFS + ) in order to be able to record metadata of any size and, for example, holds resources such as icons, menu contents or program code or the user data of a font file in older program files . Such programs could therefore be localized by editing the resource fork using a resource editor ; e.g. translate into another language.

Common editor software for accessing and editing the content of Resource Forks were:

  • ResEdit : a free software from Apple with graphical representation of the data structure and its contents (out of date),
  • Resorcerer : a popular, albeit expensive, commercial application that knows more data types than ResEdit,
  • ResKnife : a free software for Mac OS X
  • Rezycle: a Mac OS X tool that can extract resource fork content into separate files and sometimes convert it into more usable, more modern formats.

Since the introduction of Mac OS X in 2000, which are resource forks no longer used for programs instead are all on the program required data in individual files in a package ( english package ), which is actually a subdirectory, but indicated to the user as a program becomes.

Solaris

If a ZFS -based file system is exported under Solaris with the kernel-based SMB service, then alternate data streams are mapped to files with the same name in the assigned Extended Attribute Directory of the respective base files.

Windows

The Windows NTFS file system enables so-called Alternate Data Streams ( ADS ). With this function, data can be saved invisibly bound to a file by the user . This feature is less well known and the data streams are more difficult to find than the resource forks of the Apple Macintosh. Alternate Data Streams are a simplified implementation of the Extended Attribute namespace available under Solaris and NFSv4 , which is implemented on the UFS and ZFS file systems .

use

Microsoft Windows 2000 and Windows XP use ADS sub-streams to store the metadata available in the property sheet of each file, and much more depending on the application. Under Windows XP (from Service Pack 2) a so-called zone identifier is also saved, which makes it possible to subsequently recognize files that have been downloaded from the Internet. When downloading, Internet Explorer and from version 3 also Mozilla Firefox add the relevant information.

concept

Any number of sub-streams can be saved for each file. In practice, this means that any number of other files can be assigned to each file, which are not visible, but - as long as the process takes place within NTFS drives - can be moved and copied together with the file. Access to the hidden file fragments found with a colon instead: beispiel.txt: myfile.txt featuring a to the file beispiel.txt associated data stream named myfile.txt . In addition to files, folders can also contain additional data streams, which makes it difficult to find unwanted ADS.

safety

  • Since the ADS streams are invisible to the user and not all antivirus programs can scan the ADS, viruses can exploit this function.
  • Data in ADS can be executed just like normal files. Such executable data can be executed in autostart with a start command.
  • When calculating folder sizes, e.g. B. in the properties of a folder in Windows Explorer, the space occupied by ADS streams is not included in the calculation. Such large amounts of data can be "hidden" that are difficult to find.

During the transition to the Windows Vista operating system , Microsoft severely restricted the use of ADS streams for security reasons.

example

Generation of an ADS

In the command line interpreter the following command line creates a file myfile.txt with an ADS with the name myads.txt and the content "Wikipedia": 

echo "Wikipedia" > myfile.txt:myads.txt

Executable files (here the Windows pocket calculator) can also be written to an ADS (here in the ADS of the Windows file directory ): 

type C:\Windows\system32\calc.exe > C:\Windows:bad.exe

Display of an ADS

The content can be viewed as follows: 

more < myfile.txt:myads.txt

Listing an ADS

As of Windows Vista, the names of alternative data streams can be displayed with the following input: 

dir /r

Run an ADS

The following entry is sufficient to start the file: 

start C:\Windows:bad.exe

Removing an ADS

Removing an ADS is cumbersome because the delete command (del) does not work for ADS. Therefore, not individual, but only all ADS that belong to a file can be removed in a simple way: 

type myfile.txt > myfile.bak
del myfile.txt
ren myfile.bak myfile.txt

A file with ADS can be copied and copied back to another file system that does not support ADS (for example FAT32 ). However, any ADS will be lost.

It's easier with the streams command from the Windows Sysinternals Suite: 

streams -d -s *.*

removes all ADS streams recursively in the file system. The -d option stands for delete, the -s option for recursive. Without -d the streams are only listed.

See also

Web links

NTFS ADS

Mac resource forks

Individual evidence

  1. Using Streams. In: Windows Dev Center, win32. Microsoft, accessed February 19, 2020 (American English).