Question
Table of Contents
Assume there is a file named myfile.txt in C: drive that contains hidden data streams. Which of the following commands would you issue to display the contents of a data stream?
A. echo text > program:source_file
B. C:\>ECHO text_message > myfile.txt:stream1
C. C:\MORE < myfile.txt:stream1
D. myfile.dat:stream1
Answer
C. C:\MORE < myfile.txt:stream1
Explanation
The correct answer is C. C:\MORE < myfile.txt:stream1
Explanation: A data stream is a sequence of bytes that can be attached to a file or a directory on a NTFS file system. Data streams are also known as alternate data streams (ADS) because they are hidden from normal view and can store additional information that is not visible in the main data stream of the file or directory .
To display the contents of a data stream, one can use the MORE command, which is a built-in Windows utility that displays one screen of output at a time. The MORE command can take input from a file or from the standard input (stdin). The syntax for using MORE with a file is:
MORE < filename
The syntax for using MORE with stdin is:
command | MORE
where command is any command that produces output to stdout.
In this question, the file myfile.txt has a hidden data stream named stream1, which can be accessed by using the colon (:) separator after the file name. To display the contents of this data stream, one can use the MORE command with the redirection operator (<), which redirects the input from a file to stdin. The command would be:
C:\MORE < myfile.txt:stream1
This command will display the contents of stream1 on the screen, one page at a time.
The other options are incorrect because:
A. echo text > program:source_file
This command will create a new file named program and write the text “text” to its main data stream. It will not display any existing data stream.
B. C:\>ECHO text_message > myfile.txt:stream1
This command will create or overwrite a data stream named stream1 in myfile.txt and write the text “text_message” to it. It will not display any existing data stream.
D. myfile.dat:stream1
This is not a valid command, but rather a file name with a data stream name. It will not display anything on the screen.
Reference
- Streams – Sysinternals | Microsoft Learn
- Accessing hidden data streams – Stack Overflow
- File Streams (Local File Systems) – Win32 apps | Microsoft Learn
- windows – How can I identify / discover files hidden with ADS? – Information Security Stack Exchange
- Forensic Techniques to Detect Hidden Data in Alternate Data Streams in NTFS | IEEE Conference Publication | IEEE Xplore
ECCouncil Computer Hacking Forensic Investigator CHFI 312-49v10 certification exam practice question and answer (Q&A) dump with detail explanation and reference available free, helpful to pass the ECCouncil Computer Hacking Forensic Investigator CHFI 312-49v10 exam and earn ECCouncil Computer Hacking Forensic Investigator CHFI 312-49v10 certification.
Alex Lim
Alex Lim is a certified IT Technical Support Architect with over 15 years of experience in designing, implementing, and troubleshooting complex IT systems and networks. He has worked for leading IT companies, such as Microsoft, IBM, and Cisco, providing technical support and solutions to clients across various industries and sectors. Alex has a bachelor’s degree in computer science from the National University of Singapore and a master’s degree in information security from the Massachusetts Institute of Technology. He is also the author of several best-selling books on IT technical support, such as The IT Technical Support Handbook and Troubleshooting IT Systems and Networks. Alex lives in Bandar, Johore, Malaysia with his wife and two chilrdren. You can reach him at [email protected] or follow him on Website | Twitter | Facebook
