jtang613
commented
5 years ago I've already had success using this technique. A client system was found to have a backdoor: C:\Windows\cfmon.bat and the slack space contained evidence of a second, previous backdoor: C:\Windows\cmdacobin\RE[B]ell.bat
C:\Windows\cfmon.bat <- sethc.exe registry key contained
C:\Windows\cmdacobin\RE[B]ell.bat <- file on disk
RE[B]ell.bat <- sethc.exe registry slack space contained
This optional parameter allows reading back arbitrary length data from a Value, including overrunning the current data length. This is useful for forensic analysis applications that may wish to examine overwritten key data. Values are non-truncating, thus will preserve old data in the slack space if overwritten by a smaller length value.