1

I want to backup my infected Windows system's files before formatting it all and reinstalling the system. I would do it from a Linux Live USB. I've heard that one should be careful in copying only the files and not the alternate data streams or they would help the malware persist when reinstalling the system.

From Linux, how do I copy the files safely without carrying the alternate data streams with them?

Eärendil Baggins
  • 169
  • 10

2 Answers2

3

Copy it to any non-NTFS filesystem.

Alternate Data Streams (ADS) are a feature unique to NTFS. They are similar to, but distinct from, extended attributes (xattrs) on many Linux filesystems like ext4. The primary difference is that ADS streams may be hidden, requiring knowledge of the ADS handle to access it (at least without specialized tools), whereas xattrs can be easily enumerated.

Because only NTFS supports ADS, copying it to a filesystem like ext4 effectively cleans it out. It is for the same reason that xattrs are not preserved when a file is copied from ext4 to NTFS.

On a side-note, while malicious code could theoretically hide in a file's ADS, it would not be active there. Malware stored in an ADS would be completely neutralized until something else intentionally activated it. It is no more a source of infections than other places data can be hidden.

forest
  • 64,616
  • 20
  • 206
  • 257
2

how do I copy the files safely without carrying the alternate data streams with them

This depends on how you are mounting the (presumably) NTFS file system on Linux. If you are using the ntfs-3g file system driver for linux then (according to the man page) you can mount the file system with the option "streams_interface=none" which will only expose the unnamed stream (the main non-alternate data stream).

In this case (according to the documentation), it seems like you can just copy the file like usual and only the unnamed stream will be copied.

Update:

I have tested this on Kali Linux. I let the system mount an external USB NTFS drive/partition by its default procedure. I then copied a file with an alternate data stream from the NTFS filesystem to the ext4 filesystem on the Kali Linux machine. The alternate data stream was not preserved; if I copy the file back to an NTFS volume the ADS is no longer present.

hft
  • 4,910
  • 17
  • 32
  • Do you know how I can verify that I actually copied the main stream only from Linux? Also, are ADS deleted by default if I copy to an `ext` filesystem as they don't support them? Or do they get copied with different names? – Eärendil Baggins Nov 05 '18 at 21:45
  • You could use your linux live usb to copy a file with a known ADS from one ntfs volume to a different ntfs volume (say one mounted on usb drive) and then mount the usb drive in windows again and check for presence of the known ADS in the usual way (e.g., more < file.txt:stream). – hft Nov 05 '18 at 22:15
  • I don't think the alternate streams will persist if you copy to a non-NTFS file system (e.g., FAT32 or ext3), but you should test it out to make sure. – hft Nov 05 '18 at 22:20
  • updated answer to reflect the fact that my testing shows copying to ext4 seems to get rid of the ADS and only retain the unnamed stream. – hft Nov 06 '18 at 00:15