Join Us!

$BadClus - Suspicio...
 
Notifications
Clear all

$BadClus - Suspiciously large  

  RSS
research1
(@research1)
Active Member

How would one go about determining if an unusually large $badclus file was purposefully added too, as a method to hide data? Any common tools / techniques avail that can be searched for?

Quote
Posted : 11/12/2013 3:58 pm
athulin
(@athulin)
Community Legend

How would one go about determining if an unusually large $badclus file was purposefully added too, as a method to hide data? Any common tools / techniques avail that can be searched for?

And what is an unusually large $BadClus file? Are you refering to the $DATA stream or the $Bad stream?
If the latter, a non-sparse or a sparse one? And in the latter case, are you referring to sparse clusters or only to actual clusters?

There are suggestions that on some platforms and in some situations you can get a list of bad clusters (using NFI.exe for example), but they do not seem to be real or persistent, and disappear after a while or on the execution of chkdsk.

Another way forward would be to identify ways to manipulate the file. Powershell Get-Acl suggests that on a Win7 system, Authenticated Users have append rights. If append works, you would get a huge sparse file with 'real' clusters at ther end, beyond the last cluster of the file system.

But as this is a very 'internal' kind of entity (I'm not sure I would call it a file), I am rather sceptical about the possibility to do so.

ReplyQuote
Posted : 11/12/2013 9:24 pm
pbobby
(@pbobby)
Active Member

How would one go about determining if an unusually large $badclus file was purposefully added too, as a method to hide data? Any common tools / techniques avail that can be searched for?

Look at it in hex view. If there's data in there, it will be obvious.

ReplyQuote
Posted : 12/12/2013 10:49 pm
athulin
(@athulin)
Community Legend

But as this is a very 'internal' kind of entity (I'm not sure I would call it a file), I am rather sceptical about the possibility to do so.

But check http//www . forensicfocus . com/Content/pid=66/page=2/ for additional ideas.

ReplyQuote
Posted : 13/12/2013 6:53 pm
jhup
 jhup
(@jhup)
Community Legend

To further this, look at the cluster runs the $badclus refers to - not the actual $badclus entries. mrgreen

How would one go about determining if an unusually large $badclus file was purposefully added too, as a method to hide data? Any common tools / techniques avail that can be searched for?

Look at it in hex view. If there's data in there, it will be obvious.

ReplyQuote
Posted : 14/12/2013 12:40 am
Share: