How would one go about determining if an unusually large $badclus file was purposefully added too, as a method to hide data? Any common tools / techniques avail that can be searched for?
How would one go about determining if an unusually large $badclus file was purposefully added too, as a method to hide data? Any common tools / techniques avail that can be searched for?
And what is an unusually large $BadClus file? Are you refering to the $DATA stream or the $Bad stream?
If the latter, a non-sparse or a sparse one? And in the latter case, are you referring to sparse clusters or only to actual clusters?
There are suggestions that on some platforms and in some situations you can get a list of bad clusters (using NFI.exe for example), but they do not seem to be real or persistent, and disappear after a while or on the execution of chkdsk.
Another way forward would be to identify ways to manipulate the file. Powershell Get-Acl suggests that on a Win7 system, Authenticated Users have append rights. If append works, you would get a huge sparse file with 'real' clusters at ther end, beyond the last cluster of the file system.
But as this is a very 'internal' kind of entity (I'm not sure I would call it a file), I am rather sceptical about the possibility to do so.
How would one go about determining if an unusually large $badclus file was purposefully added too, as a method to hide data? Any common tools / techniques avail that can be searched for?
Look at it in hex view. If there's data in there, it will be obvious.
But as this is a very 'internal' kind of entity (I'm not sure I would call it a file), I am rather sceptical about the possibility to do so.
But check http//www . forensicfocus . com/Content/pid=66/page=2/ for additional ideas.
To further this, look at the cluster runs the $badclus refers to - not the actual $badclus entries. mrgreen
How would one go about determining if an unusually large $badclus file was purposefully added too, as a method to hide data? Any common tools / techniques avail that can be searched for?
Look at it in hex view. If there's data in there, it will be obvious.