How to view files with NTFS streams

You can see if files have NTFS streams (Alternate Data Streams) by using the file system browser in OSForensics. In the file system browser choose "Add device to case" from the File menu and select the drive letter or image file you wish to view.

The example below shows the number of streams in the file and the total stream size. The $Secure and $BadClus both use NTFS streams and the total stream size is much higher than their visible / on disk size.

 Files with NTFS streams in OSForensics file system browser

You can right click on the file and choose "View with Internal Viewer..." to open the file in the OSForensics file viewer, this will let you extract and view via Hex/String.

Listing of available NTFS streams

Note: OSForensics version 1.1 or higher required