We've recently released a new useful tool: Read more & download here: http://www.novirusthanks.org/products/stream-detector/
Looks interesting thanks. BTW, please don't make the NoVirusThanks tools open the browser after install, I hate that, and would love it if ERP could block this.
With "Extract Stream" function you can extract the stream, like the file that has been joined in the host file. Rustock Rootkit A used to hide its driver as a Alternate Data Stream, with the "Extract Stream" function you are able to extract, for example, the driver of Rustock Rootkit A for further analysis. Or if an user has used ADS to hide a document or file, you can extract\dump it.
Andreas , what happen if i decide to delete all streams on my system? (question just for educational purposes ^^ )
It should not cause problems, the OS uses Zone.Identifier ADS to store non-important data, more info here: https://msdn.microsoft.com/en-us/library/dn392609.aspx