How to view files with NTFS streams

You can see if files have NTFS streams (Alternate Data Streams) by using the file system browser in OSForensics. In the file system browser choose "Add device to case" from the File menu and select the drive letter or image file you wish to view.

The example below shows the number of streams in the file and the total stream size. The $Secure and $BadClus both use NTFS streams and the total stream size is much higher than their visible / on disk size.

 Files with NTFS streams in OSForensics file system browser

You can right click on the file and choose "View with Internal Viewer..." to open the file in the OSForensics file viewer, this will let you switch between the available streams and display the data from them. In the image below the "$Secure" file has been opened and we can see there is no default stream and ":$SDS:$DATA" stream.

Listing of available NTFS streams

Choosing the ":$SDS:$DATA" stream will allow the contents to be viewed as seen below.

Contents on an NTFS stream


Note: OSForensics version 1.1 or higher required