ADS

Alternate Data Streams are something to consider in live investigations and it does not even need a specialized tool to display.  Yes, you can use tools to identify their existence or use your trusted Hex editor to analyze the MFT table for multiple Data Attributes ( 0x80 ), but your old "buddy" dir command can show those pesky hidden streams.  I'm not even sure why this switch ( /r ) is not enabled by default.  

Option

/R          Display alternate data streams of the file.

Create ADS

C:\Users\testing>echo hello> tt.txt:hello_ads.txt

Display ADS with DIR
C:\Users\testing>dir /r
 Volume in drive C has no label.
 Volume Serial Number is CK50-8940

 Directory of C:\Users\testing
06/14/2012  06:40 PM    <DIR>          .
06/14/2012  06:40 PM    <DIR>          ..
                                     7 tt.txt:hello_ads.txt:$DATA

View the contents of ADS
notepad tt.txt:hello_ads.txt

Why do we care?  Because most people format their USB drives with FAT that do not support ADS.  If you perform a sparse acquisition and a file contains a single or multiple ADS streams and you copy that file to your FAT formatted USB drive from the command line, you will not even notice that you did not copy the whole file.  Most hashing utilities only follow the first data attribute so hashing the file will not be a valid verification to ensure the successful copy.  If you were to use Windows Explorer to perform the copy, you will get a warning message that would alert you that you have ADS and it will be stripped if you continued, but that is not the case on command line.