±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35650
New Yesterday: 0 Visitors: 117

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

$BadClus - Suspiciously large

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

research1
Senior Member
 

$BadClus - Suspiciously large

Post Posted: Dec 11, 13 16:58

How would one go about determining if an unusually large $badclus file was purposefully added too, as a method to hide data? Any common tools / techniques avail that can be searched for?  
 
  

athulin
Senior Member
 

Re: $BadClus - Suspiciously large

Post Posted: Dec 11, 13 22:24

- research1
How would one go about determining if an unusually large $badclus file was purposefully added too, as a method to hide data? Any common tools / techniques avail that can be searched for?


And what is an unusually large $BadClus file? Are you refering to the $DATA stream or the $Bad stream?
If the latter, a non-sparse or a sparse one? And in the latter case, are you referring to sparse clusters or only to actual clusters?

There are suggestions that on some platforms and in some situations you can get a list of bad clusters (using NFI.exe for example), but they do not seem to be real or persistent, and disappear after a while or on the execution of chkdsk.

Another way forward would be to identify ways to manipulate the file. Powershell Get-Acl suggests that on a Win7 system, Authenticated Users have append rights. If append works, you would get a huge sparse file with 'real' clusters at ther end, beyond the last cluster of the file system.

But as this is a very 'internal' kind of entity (I'm not sure I would call it a file), I am rather sceptical about the possibility to do so.  
 
  

pbobby
Senior Member
 

Re: $BadClus - Suspiciously large

Post Posted: Dec 12, 13 23:49

- research1
How would one go about determining if an unusually large $badclus file was purposefully added too, as a method to hide data? Any common tools / techniques avail that can be searched for?


Look at it in hex view. If there's data in there, it will be obvious.
_________________
Don't get baited. 
 
  

athulin
Senior Member
 

Re: $BadClus - Suspiciously large

Post Posted: Dec 13, 13 19:53

- athulin
But as this is a very 'internal' kind of entity (I'm not sure I would call it a file), I am rather sceptical about the possibility to do so.


But check www . forensicfocus . com/Content/pid=66/page=2/ for additional ideas.  
 
  

jhup
Senior Member
 

Re: $BadClus - Suspiciously large

Post Posted: Dec 14, 13 01:40

To further this, look at the cluster runs the $badclus refers to - not the actual $badclus entries. Mr. Green

- pbobby
- research1
How would one go about determining if an unusually large $badclus file was purposefully added too, as a method to hide data? Any common tools / techniques avail that can be searched for?


Look at it in hex view. If there's data in there, it will be obvious.
 
 

Page 1 of 1