An alternate data stream (ADS) is a feature of Windows New Technology File System (NTFS) that contains metadata for locating a specific file by author or title. ADS is supported by all versions of Windows beginning with Windows NT through the current version, Windows 7.
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
When it comes to security, the danger of ADSes lies in the fact that the information they contain does not alter any noticeable characteristics of the particular file to which they are attached. For example, adding additional "title" data to a file's ADS will not increase the file's size or change its functionality. This makes ADSes, for most intents and purposes, hidden. And this makes them a valuable place for attackers, particularly rootkit builders, to hide their tools.
As of March, 2010, free, open source tools such as StreamArmour are available to detect potentially malicious ADSes on Windows systems.