Alternate data streams, or streams, are a feature of the NTFS file system. They are not available on FAT file systems or any other file system.

According to the Microsoft article, the original data stream is the file data itself, which is the data stream with no name. All other streams have a name. Alternate Data Streams can be used to store file meta data and any other type of data.

To explain this concept, we can type the following into the command prompt

echo "This is not ADS" > file.txt

echo "This is ADS" > file.txt:stream1 

We can also create streams programmatically. In the CreateFile Windows API, just append ":stream_name" to the file name, where "stream_name" is the name of the data stream. We could also use the WriteFile Windows API function to write data.

Example program that writes to an alternate data stream is presented below.

you can use the dir command with /r to see the data streams.

Here, we can attempt to view the contents of the txt file and ADS using type and more.

Another tool to view alternate data streams is the Streams tool bundled with Sysinternals.

streams.exe "file.txt"

This tool was useful prior to the Windows PowerShell days. PowerShell's cmdlet Get-Item has the capability to retrieve alternate data stream information.

We'll need to use the "-Stream" parameter in order to do so.

Get-Item -Path .\\file.txt -Stream *

Note that Microsoft uses ADS for non-nefarious reasons. For instance, via the Zone.Identifer (Zone 3) ADS, we can tell if a file or binary was downloaded from the internet (Internet Zone).