Please let us know how useful you find this tip by rating it below. Do you have a useful Windows tip, timesaver or workaround to share? Submit it to our tip contest and you could win a prize!
If you ignore an NTFS disk that fills up suddenly, you should take notice. Not only does a mysteriously full disk waste system resources, but it may also indicate a more serious problem, such as malicious activity or disk corruption.
Generally speaking, if the problem is a mundane one like too-large cluster size, the disk will fill up slowly. But a hijacked or corrupted disk tends to fill very quickly -- literally overnight.
Computer criminals routinely use compromised systems to store everything from stolen copies of files to the tools of their trade, not to mention running everything from FTP sites to illicit chat rooms. These activities can eat up gigabytes of disk space on systems belonging to unsuspecting enterprises. Typically they will hide these files from a routine inspection. However, they can't hide the fact that the disk is suddenly filling up.
Your first step is to check the drive with Internet Explorer with the "display hidden files" option turned on. However, this is only the beginning. The bad guys have a number of techniques for hiding files from IE.
One common method of hiding files involves the use of Alternate Data Streams, a Windows feature which was designed to store properties and other meta-information along with a file. A file stored using Alternate Data Streams (ADS) can be an executable or just about anything else.
The nasty thing about ADS files is that not only don't they show up as separate files in a directory listing, they don't change the displayed size of the file they are attached to. A 1.5 megabyte file stays 1.5 megabytes even if the attached ADS is many gigabytes in size.
To make matters worse, ADS is just about undetectable by tools like Internet Explorer or the Windows command line. Examining the time stamp will reveal the changed file, but the only other tip-off is the sudden growth in disk use for no apparent reason. Generally you need a special tool, such as LADS, which is freeware you can download from http://www.heysoft.de/Frames/f_home_en.htm. LADS will find and remove ADS files from your system.
Depending on the criminal's level of sophistication (or the sophistication of the tools he uses), figuring out what is going on can be a major undertaking. You will probably see other signs of intrusion, such as unexplained network activity or services running on unusual ports.
Another possibility is that the drive has become corrupted by a computer malfunction or power failure. This is a good deal less sinister than an intrusion, but it is still a serious problem. In this case you may have to rebuild or even replace the drive.
In part two, I will look at additional problems that are related to the way Windows Server 2003 and the NTFS work.
Click here to read part two.
Rick Cook has been writing about mass storage since the days when the term meant an 80 K floppy disk. The computers he learned on used ferrite cores and magnetic drums. For the last 20 years he has been a freelance writer specializing in storage and other computer issues.
