An alternate data stream (ADS) is a feature of Windows New Technology File System (NTFS) that contains metadata for locating a specific file by author or title. ADS is supported by all versions of Windows beginning with Windows NT through the current version, Windows 7.
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
When it comes to security, the danger of ADSes lies in the fact that the information they contain does not alter any noticeable characteristics of the particular file to which they are attached. For example, adding additional "title" data to a file's ADS will not increase the file's size or change its functionality. This makes ADSes, for most intents and purposes, hidden. And this makes them a valuable place for attackers, particularly rootkit builders, to hide their tools.
As of March, 2010, free, open source tools such as StreamArmour are available to detect potentially malicious ADSes on Windows systems.