ADS (Alternate Data Streams) are a feature of the Windows NTFS file system and were originally provided for support of the Macintosh hierarchical file system (HFS). Files under the Macintosh HFS are comprised of two parts called forks. The alternate data streams under the Windows NTFS filesystem allow one or more streams to be attached to a file e.g. to simulate the resource fork under Macintosh HFS.

Although the Windows NTFS file system supports alternate data streams they are not easily visible within Windows. As such it is possible to hide data or executable code within an ADS.

Is an alternate data stream always bad news?

No, they are legitimately used by some programs. E.g some Anti-virus programs include a checksum value in an ADS attached to each file. Thumbs.db, the thumbnail cache in Windows XP, uses alternate data streams.

What Windows versions should I use an ADS scan on?

Any version of Winodws using the NTFS filesystem: Windows NT, Windows 2000 and Windows XP. Disks formatted with FAT/FAT32 do not support alternate data streams.

How do I check my system for known objects in alternate data streams?

Run Ad-Aware SE and select "Scan volume for ADS" and using the select option choose the drives you wish to scan. ADS scans can also be run from the command line using the /ads option.

How can I identify an ADS in the Ad-Aware SE log? Select the gear icon > tweak > log files and enable "include alternate data stream details in log file"

Then in the log file an alternate data stream will look like filename:streamname