More data hiding in NTFS metafiles

I have previously been digging in the ntfs metafiles and just restarted some of the digging. On the subject of hiding data inside the metafiles, I came across several articles and one of them; http//www.forensicfocus.com/index.php?name=Content&pid=66&page=6 seems to cover a lot. However, I believe there is one tiny error worth noting regarding the $Boot file. My experience says, contrary to the article, that the $Boot file can be heavily modified without affecting how Windows will handle the target volume. Of course it is very limited how much data can actually be put in there, but anyways..

On a non-bootable volume, Windows only cares about the first sector, leaving 15 sectors as "free space". I filled it up with ff's, and Windows was still happy after remounting the volume.

On a bootable volume the boot code is of course used and can't be modified. But, the remaining sectors can contain whatever data. On nt6.x the boot code is roughly 2 sectors bigger than on nt5, meaning more data can be hidden in the nt5 boot code than in the nt6 code. Specifically, I put (9x512) + 128 = 4736 bytes of garbage on nt5 and (7x512) + 464 = 4048 bytes of garbage on the nt6 $Boot. Both test systems booted just fine.

The best part (depending on how you see it) is that chkdsk did not report any errors! 😯

Also tried filling up the $Upcase with garbage data successfully. Only first sector is strictly necessary to keep intact for Windows to not complain. That means 255 X 512 = 130.560 bytes can be put into the $Upcase metafile. This one will easily be caught by chkdsk, but maybe worth mentioning.

Regarding the $LogFile, I was wondering if anybody have had any "success" with that one? I managed to create 256 kB sized logfiles, by using customized Windows binaries, but that was it. As soon as it was manually modified, it was autohealed by Windows.

And don't be too harsh with me on my first post. Maybe it's all old news and belongs to the issues of the past..

Joakim