To further this, look at the cluster runs the $badclus refers to- not the actual $badclus entries. <img src="images/smiles/icon_mrgreen.gif" alt="Mr. Green" title="Mr. Green" />
pbobby wrote:
research1 wrote:
How would one go about determining if an unusually large $badclus file was purposefully added too, as a method to hide data? Any common tools / techniques avail that can be searched for?
Look at it in hex view. If there's data in there, it will be obvious.
↧