GIAC
GCIH · Question #628
GCIH Question #628: Real Exam Question with Answer & Explanation
The correct answer is A: They are copied, provided the destination file system is NTFS. NTFS Alternate Data Streams are preserved intact when copying a file to an NTFS destination, but are silently lost if the destination file system does not support them.
Malware Analysis & Advanced Persistent Threats
Question
When copying a file that includes alternate data streams, what happens to the streams during the copying process?
Options
- AThey are copied, provided the destination file system is NTFS
- BThey are compressed using the WinZip encryption algorithms
- CThey are removed and only the original file is moved
- DAn error message is displayed indicating that data was lost
Explanation
NTFS Alternate Data Streams are preserved intact when copying a file to an NTFS destination, but are silently lost if the destination file system does not support them.
Common mistakes.
- B. Windows does not automatically compress or encrypt alternate data streams using WinZip or any other algorithm during a standard file copy operation; streams are either preserved or silently discarded.
- C. Alternate data streams are not universally removed during copying - they are only lost when the destination file system lacks NTFS support, and the primary file data is always copied regardless.
- D. Windows does not generate an error message or warning when alternate data streams are lost during a copy to a non-NTFS destination; the loss occurs completely silently.
Concept tested. NTFS alternate data streams preservation during file copy
Reference. https://learn.microsoft.com/en-us/windows/win32/fileio/file-streams
Topics
#NTFS#alternate data streams#file system behavior#data hiding
Community Discussion
No community discussion yet for this question.