How to view files with NTFS streams
You can see if files have NTFS streams (Alternate Data Streams) by using the file system browser in OSForensics. In the file system browser choose "Add device to case" from the File menu and select the drive letter or image file you wish to view.
The example below shows the number of streams in the file and the total stream size. The $Secure and $BadClus both use NTFS streams and the total stream size is much higher than their visible / on disk size.
You can right click on the file and choose "View with Internal Viewer..." to open the file in the OSForensics file viewer, this will let you switch between the available streams and display the data from them. In the image below the "$Secure" file has been opened and we can see there is no default stream and ":$SDS:$DATA" stream.
Choosing the ":$SDS:$DATA" stream will allow the contents to be viewed as seen below.
Note: OSForensics version 1.1 or higher required