Alternate Data Streams, and Extended File Attributes.

Alternate data streams (ADS)

are an NTFS file system only capability to be able to add data onto an additional "Stream" of a file without altering the contents of the file itself, or modify it's hash value in anyway.  

First we are going to create a new file, and add some data into it.  This can be any type of file, or an already existing file as long as it resides on an NTFS partition.

Creating a new file, adding data, hashing the file:

Now you see by listing the streams on a particular file that it already has "$DATA".  This is normal and will be present on any file.  Lets add an additional stream, and data more data.

So as you can see from the above, we added 211 additional bytes onto the file.  But the hash remains the same.  

On NTFS you can store an unlimited number of streams, with an unlimited amount of data (at least that is available on the filesystem).

Some gotchas about this are you cannot transfer over most protocols like HTTP, HTTPS, SSH, etc.  It WILL work over SMB as long as both partitions are NTFS.

Linux Extended File attributes (XFA)

are supported on most Linux/Unix filesystem types.  However there are greater limitations on the amount of size of an extended attribute.  This is usually tied to the block size that partition was formatted with.  So lets say during installation the filesystem was formatted as Ext4 with a 4k block size, then we can only store 4k worth of data per attribute.  Same steps as above with ADS, just a little different execution.

Creating a new file, putting data in it, hashing it:

Next creating a new Extended File Attribute and adding data to it, and rehashing again seeing that it does not change.

And it's basically as simple as that.  Thanks for reading my simple ADS/XFA write up!