How to view files with NTFS streams
You can see if files have NTFS streams (Alternate Data Streams) by using the file system browser in OSForensics. In the file system browser choose "Add device to case" from the File menu and select the drive letter or image file you wish to view.
The example below shows the number of streams in the file and the total stream size. The $Secure and $BadClus both use NTFS streams and the total stream size is much higher than their visible / on disk size.
You can right click on the file and choose "View with Internal Viewer..." to open the file in the OSForensics file viewer, this will let you extract and view via Hex/String.
Note: OSForensics version 1.1 or higher required