Frank Heyne has written a small FAQ on Alternate Data Streams in NTFS. David LeBlanc published Detecting Alternate Data Streams. Mark Russinovich at www.sysinternals.com has released freeware utility Streams which displays NTFS files that have alternate streams content. Useful to Windows NT admin. Crucial Security has released a similar freeware tool, CrucialADS.

The NTFS file system provides applications the ability to create alternate data streams of information. By default, all data is stored in a file's main unnamed data stream, but by using the syntax "file:stream", you are able to read and write to alternates. Not all applications are written to access alternate streams, but you can demonstrate streams very simply. First, change to a directory on a NTFS drive from within a command prompt. Next, type "echo hello > test:stream". You've just created a stream named 'stream' that is associated with the file 'test'. Note that when you look at the size of test it is reported as 0, and the file looks empty when opened in any text editor. To see your stream enter "more < test:stream" (the type command doesn't accept stream syntax so you have to use more). NT does not come with any tools that let you see which NTFS files have streams associated with them, so I've written one myself. Streams will examine the files you specify and inform you of the name and sizes of any named streams it encounters within those files. Streams makes use of an undocumented native function for retrieving file stream information. Full source code is included.

You can download ads_cat from Packet Storm. ads_cat is a utility for writing to NTFS's Alternate File Streams and includes ads_extract, ads_cp, and ads_rm, utilities to read, copy, and remove data from NTFS alternate file streams.

Streams technology was used to create a new type virus. See Malicious code exploits unique Win2K function

David LeBlanc has written a tutorial on Detecting Alternate Data Streams

Carvdawg's Perl Page has scripts Astream.pl and ads.pl. Astream.pl is a Perl script that demonstrates how an NTFS alternate data stream (ADS) can be created programmatically. Ads.pl is a script that detects ADSs. Ads.pl is based on Dave Roth's streams.pl script from his latest book, with some modifications added to include checking the directory listing. Thanks goes to Frank Heyne for pointing out how to check the directory listing for ADSs.

NTFS Tips:

Managing Shared Resources and Resource Security
Choosing Between FAT and NTFS
Web versus NTFS Permissions
NTFS Security, Part 2: Implementing NTFS Special Permissions on Your Web Site
Getting the Most from IIS Security
NTFS Permissions
Cancel an NTFS conversion
NT equivalents of NetWare Rights
Access NTFS from DOS, Win95 or Win98 using NTFSDOS driver
NTFS Last Access TimeStamp
xcopy - keep attributes
How To Remove Files with Reserved Names such as LPT1 or PRN
NTFS Metadata files
Disable NTs 8.3 aliases for LFNs under NTFS
Streams displays which NTFS files have alternate streams content
VolumeID changes NT and FAT volume IDs
Create a NTFS partition over 4GB during installation
Windows NT NTFS Directory Compression

New Riders has good NT texts.

Covers NT4 & NT2000. 3Ps covered well: policies, permissions, profiles.