What is wrong with alternate data streams?
I could say: Nothing, they work as expected and as documented (yes, Microsoft did it).
But stop - there is something wrong: They are totally hidden. You can have a file with 1 byte in the official main data stream and some hundred MB in one or more alternate data streams. What do you expect the dir command, file manager or explorer to show as filesize? It is 1 byte!
That means a user can hide quite a lot of data in alternate data streams and nobody will know?
So it is.
But a user does need certain special priviledges to use alternate data streams?
No. Even guest can create such streams in every file where he has write access for.
How does somebody create an ADS?
You can do it on the command prompt, like notepad visible.txt:hidden.txt. This will create an hidden stream hidden.txt in the file visible.txt. It doesn't matter if the file exists or not.
How does somebody copy data into an ADS?
type atextfile > visible.txt:hidden2.txt. This will create another hidden stream hidden2.txt in the file visible.txt.
How does somebody copy text data from an ADS into a "normal" file?
more < visible.txt:hidden2.txt > newfile.txt. This will create a file newfile.txt from the hidden stream hidden2.txt in the file visible.txt.
How does somebody copy binary data from an ADS into a "normal" file?
cat visible.txt:hidden.exe > hack.exe. This will create a2