$BadClus - Suspicio...
 
Notifications
Clear all

$BadClus - Suspiciously large

5 Posts
4 Users
0 Likes
1,562 Views
(@research1)
Posts: 165
Estimable Member
Topic starter
 

How would one go about determining if an unusually large $badclus file was purposefully added too, as a method to hide data? Any common tools / techniques avail that can be searched for?

 
Posted : 11/12/2013 3:58 pm
(@athulin)
Posts: 1156
Noble Member
 

How would one go about determining if an unusually large $badclus file was purposefully added too, as a method to hide data? Any common tools / techniques avail that can be searched for?

And what is an unusually large $BadClus file? Are you refering to the $DATA stream or the $Bad stream?
If the latter, a non-sparse or a sparse one? And in the latter case, are you referring to sparse clusters or only to actual clusters?

There are suggestions that on some platforms and in some situations you can get a list of bad clusters (using NFI.exe for example), but they do not seem to be real or persistent, and disappear after a while or on the execution of chkdsk.

Another way forward would be to identify ways to manipulate the file. Powershell Get-Acl suggests that on a Win7 system, Authenticated Users have append rights. If append works, you would get a huge sparse file with 'real' clusters at ther end, beyond the last cluster of the file system.

But as this is a very 'internal' kind of entity (I'm not sure I would call it a file), I am rather sceptical about the possibility to do so.

 
Posted : 11/12/2013 9:24 pm
pbobby
(@pbobby)
Posts: 239
Estimable Member
 

How would one go about determining if an unusually large $badclus file was purposefully added too, as a method to hide data? Any common tools / techniques avail that can be searched for?

Look at it in hex view. If there's data in there, it will be obvious.

 
Posted : 12/12/2013 10:49 pm
(@athulin)
Posts: 1156
Noble Member
 

But as this is a very 'internal' kind of entity (I'm not sure I would call it a file), I am rather sceptical about the possibility to do so.

But check http//www . forensicfocus . com/Content/pid=66/page=2/ for additional ideas.

 
Posted : 13/12/2013 6:53 pm
jhup
 jhup
(@jhup)
Posts: 1442
Noble Member
 

To further this, look at the cluster runs the $badclus refers to - not the actual $badclus entries. mrgreen

How would one go about determining if an unusually large $badclus file was purposefully added too, as a method to hide data? Any common tools / techniques avail that can be searched for?

Look at it in hex view. If there's data in there, it will be obvious.

 
Posted : 14/12/2013 12:40 am
Share: