1
00:00:00,05 --> 00:00:02,04
- [Host] Window systems usually boot from,

2
00:00:02,04 --> 00:00:05,01
and use a disc with the NTFS file system.

3
00:00:05,01 --> 00:00:07,05
And when they do, they store their file system metadata

4
00:00:07,05 --> 00:00:10,08
in a structure called an MFT, or master file table.

5
00:00:10,08 --> 00:00:13,02
This data structure keeps track of the names of files

6
00:00:13,02 --> 00:00:15,03
and where their data is stored on the disc.

7
00:00:15,03 --> 00:00:17,09
It also keeps track of the basic and extended attributes

8
00:00:17,09 --> 00:00:19,03
we can attach to the files.

9
00:00:19,03 --> 00:00:21,05
In addition to some more specialized metadata.

10
00:00:21,05 --> 00:00:22,04
This data structure

11
00:00:22,04 --> 00:00:26,03
allows us to add alternate data streams to files as well.

12
00:00:26,03 --> 00:00:27,05
Like other file systems,

13
00:00:27,05 --> 00:00:30,00
NTFS stores standard information like file names,

14
00:00:30,00 --> 00:00:33,00
and various file modification dates.

15
00:00:33,00 --> 00:00:34,08
We can see some of this basic information

16
00:00:34,08 --> 00:00:36,07
in the Explorer properties pin.

17
00:00:36,07 --> 00:00:38,06
Which we can get to by right clicking a file,

18
00:00:38,06 --> 00:00:42,04
and choosing properties.

19
00:00:42,04 --> 00:00:45,02
Here's the name, the size and a few dates.

20
00:00:45,02 --> 00:00:47,08
We can find a bit more information over on the details tab,

21
00:00:47,08 --> 00:00:49,08
including some of its attributes.

22
00:00:49,08 --> 00:00:54,02
We'll explore attributes more in just a moment.

23
00:00:54,02 --> 00:00:57,03
We can also find information using PowerShell.

24
00:00:57,03 --> 00:00:59,01
Here in my PowerShell terminal,

25
00:00:59,01 --> 00:01:02,01
I've navigated to the directory where my files are stored

26
00:01:02,01 --> 00:01:04,08
and I'll type, "Get dash item property,"

27
00:01:04,08 --> 00:01:06,00
the name of the file,

28
00:01:06,00 --> 00:01:10,00
and I'll pipe that into format list.

29
00:01:10,00 --> 00:01:11,07
And here we can see the creation time

30
00:01:11,07 --> 00:01:13,05
and we can also see the last write time

31
00:01:13,05 --> 00:01:14,09
and the last access time.

32
00:01:14,09 --> 00:01:18,00
The most recent times when the file was modified and read.

33
00:01:18,00 --> 00:01:19,08
Depending on the type of file we're looking at,

34
00:01:19,08 --> 00:01:21,05
we may see other metadata as well

35
00:01:21,05 --> 00:01:23,07
in this properties window.

36
00:01:23,07 --> 00:01:24,09
Using graphical tools,

37
00:01:24,09 --> 00:01:28,01
we can set access parameters for the file;

38
00:01:28,01 --> 00:01:31,08
to determine which of the users have which level of access.

39
00:01:31,08 --> 00:01:32,09
This access control list

40
00:01:32,09 --> 00:01:35,01
can be set by users on files they own

41
00:01:35,01 --> 00:01:40,05
and can be set universally by the administrator.

42
00:01:40,05 --> 00:01:43,02
We can also view these from the PowerShell terminal as well.

43
00:01:43,02 --> 00:01:48,03
With the command, "Get dash ACL," the file name,

44
00:01:48,03 --> 00:01:52,02
and then again I'll pipe this to format list.

45
00:01:52,02 --> 00:01:55,00
And here I can see this file's ACL.

46
00:01:55,00 --> 00:01:57,06
There are also PowerShell commands to modify these ACL's,

47
00:01:57,06 --> 00:01:58,09
should we need to do that.

48
00:01:58,09 --> 00:02:00,06
But, this course isn't about determining

49
00:02:00,06 --> 00:02:02,03
and designing access control.

50
00:02:02,03 --> 00:02:04,06
So, take a look at our courses on Windows administration

51
00:02:04,06 --> 00:02:10,06
for more detail on that topic.

52
00:02:10,06 --> 00:02:13,01
Files on a window system can have a variety of attributes

53
00:02:13,01 --> 00:02:14,08
that control how they work.

54
00:02:14,08 --> 00:02:18,07
Among these, are "read only," "hidden," and "archive."

55
00:02:18,07 --> 00:02:19,08
In the PowerShell terminal,

56
00:02:19,08 --> 00:02:23,03
We can run the command, "attrib slash question mark,"

57
00:02:23,03 --> 00:02:24,06
to see how to use this command

58
00:02:24,06 --> 00:02:27,00
and what the available attributes are.

59
00:02:27,00 --> 00:02:32,06
Let's use the "hidden" attribute to practice here.

60
00:02:32,06 --> 00:02:37,01
I'll write, "attrib plus capital H, market photo dot jpeg"

61
00:02:37,01 --> 00:02:38,07
With "plus H," to add the "H,"

62
00:02:38,07 --> 00:02:40,08
or "hidden" attribute to this file.

63
00:02:40,08 --> 00:02:41,06
Before I run that,

64
00:02:41,06 --> 00:02:44,01
watch over here on the right side in the Explorer.

65
00:02:44,01 --> 00:02:46,04
I'll run the command, and there goes the file.

66
00:02:46,04 --> 00:02:48,04
It's hidden from view.

67
00:02:48,04 --> 00:02:51,04
And when I list the files in this directory,

68
00:02:51,04 --> 00:02:55,02
it doesn't show up here either.

69
00:02:55,02 --> 00:02:57,02
I can tell Explorer to show hidden files

70
00:02:57,02 --> 00:03:02,00
with this option here.

71
00:03:02,00 --> 00:03:03,02
And I can use the command,

72
00:03:03,02 --> 00:03:05,06
"dir dash capital F O,"

73
00:03:05,06 --> 00:03:07,02
or a handful of other similar commands

74
00:03:07,02 --> 00:03:08,04
like the PowerShell command,

75
00:03:08,04 --> 00:03:12,08
"get child item dash force," to see all the files.

76
00:03:12,08 --> 00:03:16,07
Here's my hidden file.

77
00:03:16,07 --> 00:03:19,05
And notice that it has an "H" here in its mode string.

78
00:03:19,05 --> 00:03:22,05
While all the others just have "A" for archive.

79
00:03:22,05 --> 00:03:23,09
This file will also be hidden,

80
00:03:23,09 --> 00:03:25,09
as long as it stays stored on a file system

81
00:03:25,09 --> 00:03:28,00
that supports this attribute.

82
00:03:28,00 --> 00:03:29,02
But, the attribute will be stripped

83
00:03:29,02 --> 00:03:30,06
if I copy this to a file system

84
00:03:30,06 --> 00:03:37,02
that doesn't support attributes, like X-fat.

85
00:03:37,02 --> 00:03:38,05
We can un-hide the file with,

86
00:03:38,05 --> 00:03:41,02
"attrib minus capital H."

87
00:03:41,02 --> 00:03:45,06
And now it's back.

88
00:03:45,06 --> 00:03:47,07
Windows supports alternate data streams,

89
00:03:47,07 --> 00:03:51,04
which provide a way to attach additional data to a file.

90
00:03:51,04 --> 00:03:53,02
Some software, like web browsers,

91
00:03:53,02 --> 00:03:54,06
will stick an alternate data stream

92
00:03:54,06 --> 00:03:57,05
onto downloaded files to indicate their origin URL.

93
00:03:57,05 --> 00:04:00,05
And alternate data streams have other uses as well.

94
00:04:00,05 --> 00:04:01,07
Here in the PowerShell terminal,

95
00:04:01,07 --> 00:04:03,09
let's attach a small amount of text to a file

96
00:04:03,09 --> 00:04:08,07
and give that value a name.

97
00:04:08,07 --> 00:04:10,03
I'll write, "set dash content,"

98
00:04:10,03 --> 00:04:12,01
provide the name of my file,

99
00:04:12,01 --> 00:04:13,08
and then I'll type a colon,

100
00:04:13,08 --> 00:04:15,09
and I'll follow that colon with a key.

101
00:04:15,09 --> 00:04:17,05
For this key, I'll set the value,

102
00:04:17,05 --> 00:04:22,08
"this is my custom value."

103
00:04:22,08 --> 00:04:23,09
Next, I'll run get item

104
00:04:23,09 --> 00:04:29,07
on all the files here in my directory.

105
00:04:29,07 --> 00:04:31,04
Even though I've added a value to this file,

106
00:04:31,04 --> 00:04:33,04
there's no indication of it here.

107
00:04:33,04 --> 00:04:36,00
This is only showing the data streams.

108
00:04:36,00 --> 00:04:38,00
To see my custom data stream,

109
00:04:38,00 --> 00:04:40,02
I'll write, "get dash item,"

110
00:04:40,02 --> 00:04:41,07
provide the file name,

111
00:04:41,07 --> 00:04:42,06
and then tell PowerShell

112
00:04:42,06 --> 00:04:46,06
to show me all the streams for this file.

113
00:04:46,06 --> 00:04:48,05
The first one here is the data stream.

114
00:04:48,05 --> 00:04:50,08
That's the actual file.

115
00:04:50,08 --> 00:04:53,04
And down here is the stream called, "My Data."

116
00:04:53,04 --> 00:05:00,00
This is the data that I attach to the file.

117
00:05:00,00 --> 00:05:01,01
To see what's in that stream,

118
00:05:01,01 --> 00:05:02,05
I can run get content,

119
00:05:02,05 --> 00:05:04,06
provide the file name, type a colon,

120
00:05:04,06 --> 00:05:09,00
and then use the key that I set earlier, "My Data."

121
00:05:09,00 --> 00:05:11,04
And there's the value that I set for this key.

122
00:05:11,04 --> 00:05:14,00
We can use the "remove item" command to erase an entry,

123
00:05:14,00 --> 00:05:15,06
and there are some other more specific commands

124
00:05:15,06 --> 00:05:18,01
for working with these values too.

125
00:05:18,01 --> 00:05:19,07
Take a look at the "help" for "get content,"

126
00:05:19,07 --> 00:05:21,08
or "get item" to learn a bit more.

127
00:05:21,08 --> 00:05:24,04
Earlier, I mentioned that browsers often set an ADS.

128
00:05:24,04 --> 00:05:28,04
So, let's take a look at a downloaded file.

129
00:05:28,04 --> 00:05:30,02
I'll switch over to my downloads directory,

130
00:05:30,02 --> 00:05:33,07
and I'll clear the screen.

131
00:05:33,07 --> 00:05:35,03
Earlier I downloaded "exit tool."

132
00:05:35,03 --> 00:05:37,06
So, let's take a look at that file.

133
00:05:37,06 --> 00:05:42,03
I'll write "get item," provide a file name.

134
00:05:42,03 --> 00:05:46,09
And let's take a look at all of the streams.

135
00:05:46,09 --> 00:05:50,01
As we'd expect, here's a data stream,

136
00:05:50,01 --> 00:05:54,00
and here's an ADS called, "zone dot identifier."

137
00:05:54,00 --> 00:05:56,07
Let's see what that is.

138
00:05:56,07 --> 00:05:59,04
I'll write, "get content," provide the file name,

139
00:05:59,04 --> 00:06:01,04
type a colon, and then I'll use the key,

140
00:06:01,04 --> 00:06:04,01
"zone dot identifier."

141
00:06:04,01 --> 00:06:06,08
And I can see the URL this file was downloaded from.

142
00:06:06,08 --> 00:06:07,08
Neat.

143
00:06:07,08 --> 00:06:09,05
So, you can see how alternate data streams

144
00:06:09,05 --> 00:06:11,01
would be useful for tagging files

145
00:06:11,01 --> 00:06:13,02
with custom information.

146
00:06:13,02 --> 00:06:15,07
We could copy a whole program, even a malicious one,

147
00:06:15,07 --> 00:06:17,00
into an alternate data stream

148
00:06:17,00 --> 00:06:18,06
of an otherwise innocent program.

149
00:06:18,06 --> 00:06:20,04
Hiding it from casual investigation,

150
00:06:20,04 --> 00:06:23,01
but still allowing us to run it if we know where to look.

151
00:06:23,01 --> 00:06:24,08
Malware scanners are aware of this trick though,

152
00:06:24,08 --> 00:06:27,08
and can find hidden malware in alternate streams.

153
00:06:27,08 --> 00:06:29,08
Because we can attach any data to a file,

154
00:06:29,08 --> 00:06:31,09
and because some metadata gets added to files

155
00:06:31,09 --> 00:06:33,01
by other software.

156
00:06:33,01 --> 00:06:34,00
Alternate data streams

157
00:06:34,00 --> 00:06:36,03
can present a risk of information oversharing,

158
00:06:36,03 --> 00:06:38,02
or other security problems.

159
00:06:38,02 --> 00:06:41,03
Alternate data streams exist only by that name on Windows.

160
00:06:41,03 --> 00:06:42,03
And on other platforms,

161
00:06:42,03 --> 00:06:44,01
we'll see similar metadata structures

162
00:06:44,01 --> 00:06:46,09
referred to as, "extended attributes."

163
00:06:46,09 --> 00:06:48,09
As long as we keep files on file systems

164
00:06:48,09 --> 00:06:50,04
with support for these values;

165
00:06:50,04 --> 00:06:52,06
our data streams, or extended attributes

166
00:06:52,06 --> 00:06:55,03
can transfer between platforms.

167
00:06:55,03 --> 00:06:57,05
But, if we try to copy a file to a file system

168
00:06:57,05 --> 00:06:58,08
that doesn't support them.

169
00:06:58,08 --> 00:07:01,07
Like X-fat, fat 32, or plain old, fat.

170
00:07:01,07 --> 00:07:03,04
We'll see a warning that these extra streams

171
00:07:03,04 --> 00:07:07,02
will be dropped.

172
00:07:07,02 --> 00:07:08,03
That may be fine with us

173
00:07:08,03 --> 00:07:10,05
if we only want to copy the actual file data

174
00:07:10,05 --> 00:07:12,03
and don't care about the metadata.

175
00:07:12,03 --> 00:07:13,09
But, if we need to preserve that data,

176
00:07:13,09 --> 00:07:19,07
we'll need to find an NTFS disc to copy it onto.

177
00:07:19,07 --> 00:07:21,01
When we customize the view settings

178
00:07:21,01 --> 00:07:22,01
of a Windows folder,

179
00:07:22,01 --> 00:07:23,08
those changes are stored in the folder

180
00:07:23,08 --> 00:07:26,04
in a file called Desktop.ini.

181
00:07:26,04 --> 00:07:28,05
So, the changes persist both on our system,

182
00:07:28,05 --> 00:07:29,07
and on other Windows systems

183
00:07:29,07 --> 00:07:31,03
where we might use the folder.

184
00:07:31,03 --> 00:07:33,06
This file doesn't store a large amount of information,

185
00:07:33,06 --> 00:07:34,09
but it can tell us a little bit.

186
00:07:34,09 --> 00:07:37,04
Like what the custom icon or image for a folder is,

187
00:07:37,04 --> 00:07:38,06
and so on.

188
00:07:38,06 --> 00:07:40,07
Another file type that could reveal some information,

189
00:07:40,07 --> 00:07:42,02
is Thumbs.db.

190
00:07:42,02 --> 00:07:44,04
A file generated by older versions of Windows,

191
00:07:44,04 --> 00:07:46,09
when viewing media in a thumbnail view.

192
00:07:46,09 --> 00:07:48,06
This file contains small images

193
00:07:48,06 --> 00:07:51,03
that represent the media files in the directory.

194
00:07:51,03 --> 00:07:53,05
If we delete an image in a directory on Windows,

195
00:07:53,05 --> 00:07:55,09
the thumbnails file should eventually be updated.

196
00:07:55,09 --> 00:07:57,06
But, if we have a copy of this file

197
00:07:57,06 --> 00:08:00,01
and the associated images on another platform,

198
00:08:00,01 --> 00:08:02,02
and we delete one or more images there;

199
00:08:02,02 --> 00:08:04,02
the thumbs file won't be updated.

200
00:08:04,02 --> 00:08:07,04
And so a small copy of a deleted image can persist.

201
00:08:07,04 --> 00:08:09,04
These images can be extracted from the file

202
00:08:09,04 --> 00:08:10,07
in low resolution.

203
00:08:10,07 --> 00:08:12,06
And thus can reveal some information

204
00:08:12,06 --> 00:08:13,06
about what is in a folder,

205
00:08:13,06 --> 00:08:15,07
or what has been in a folder.

206
00:08:15,07 --> 00:08:18,05
While the Desktop.ini, and Thumbs.db files

207
00:08:18,05 --> 00:08:20,06
aren't strictly file system metadata.

208
00:08:20,06 --> 00:08:23,02
They both serve to store some information about files,

209
00:08:23,02 --> 00:08:25,04
outside of the file data itself.

210
00:08:25,04 --> 00:08:27,09
And because they can contain information about files,

211
00:08:27,09 --> 00:08:30,07
they can present a security risk.

212
00:08:30,07 --> 00:08:33,04
Windows in conjunction with the NTFS file system

213
00:08:33,04 --> 00:08:35,07
offers many different file system metadata values

214
00:08:35,07 --> 00:08:38,09
that are used across the system and by users.

215
00:08:38,09 --> 00:08:41,00
NTFS can accommodate metadata values

216
00:08:41,00 --> 00:08:42,06
from other platforms too.

217
00:08:42,06 --> 00:08:46,00
Making it a suitable backend for a file sharing system.

218
00:08:46,00 --> 00:08:48,02
As we'll see when working with other file systems,

219
00:08:48,02 --> 00:08:50,07
many of the metadata types that we've explored here

220
00:08:50,07 --> 00:08:53,05
are represented on Linux and Mac Os file systems.

221
00:08:53,05 --> 00:08:55,03
Their names vary a bit though,

222
00:08:55,03 --> 00:08:56,04
and not all platforms

223
00:08:56,04 --> 00:08:59,00
can write to all of these file systems directly.