3 Structure Examples

This section presents an example of serializing an input file that has two streams. The unnamed stream contains "unnamed stream" in ASCII, and the alternate stream "stream1" contains "This is stream 1". This section does not show a sparse region because the NTFS file system requires sparse regions to be integral multiples of 64-KB bytes aligned on 64-KB byte boundaries, which would result in too large of an example.

This section displays dumps of file contents. These are formatted with 16 bytes per line, each byte shown in hexadecimal without the leading "0x" prefix. Each line starts with the offset, in hexadecimal from the beginning of the file of the first byte in the line. The end of each line is the bytes in the line displayed in ASCII, with unprintable characters replaced with a period (.).

The raw contents of a.txt is as follows:

 Offset     Data                                             ASCII
 00000000   55 6e 6e 61 6d 65 64 20 53 74 72 65 61 6d        Unnamed Stream

The contents of a.txt:stream1 is:

 Offset     Data                                             ASCII
 00000000   54 68 69 73 20 69 73 20 73 74 72 65 61 6d 31     This is stream1

The serialized representation of a.txt is:


The WIN32_STREAM_IDs at the beginning of each backup stream are indicated by a gray background. There are three backup streams in this case: first, a SECURITY_DATA stream that contains the security descriptor for this file; second, the DATA stream that contains the contents of the main stream; and third, an ALTERNATE_DATA stream that contains the contents of stream1. The NTFS file system reports alternate stream names as ":streamName:$DATA." This is an implementation detail of the NTFS file system and does imply that other file systems necessarily follow this stream naming convention.