Windows NTFS feature that allows files to contain more than one stream of data. These streams can be used to hide malicious files behind a legitimate one.
ADS has the ability to fork file data into existing files without affecting their functionality, size, or display to traditional file browsing utilities like dir or Windows Explorer (though dir /R can be used to see ADS).After gaining access to a system a malicious file can be hidden behind a legitimate one.
They are used legitimately by a variety of programs, including native Windows operating system to store file information such as attributes and temporary storage.
