Thursday, October 10, 2013

Daily Blog #109: Sunday Funday 10/6/13 Avoiding the red herring

Hello Reader,
             In the Sunday Funday 10/6/13 image we have some user activity from July that might have lead you down the wrong path. Indeed if you went looking you would have found CCleaner was on the system and executed back in July as mentioned in the following Sunday Funday entry:



it indeed looks like ccleaner was executed at least once as it recovered a pf file: CCLEANER.EXE-D4D76A60.pf. my guess is it was initially run on
08/21/2013  10:19:05  -6 and only executed one time since the last accessed matches created.

it looks like ccleaner was executed within seconds of it being installed since the uninstall shortcut was created 08/21/2013  10:19:04.518  -6

CCleaner 4.4 was installed. i based this on the executable X-ways recovered in the ccleaner directory. based on when this exe was created i went to the website and verified that v4.4 was released on 07/25/2013 which makes sense since the created date on the exe is 07/22/2013 11:17:50.000  -6
 While all of this information is correct, we did in fact install CCleaner and run it once in July to prepare the image for this contest, it had nothing to do with our challenge :) Many times when examining a system its easy to go off on rabbit trails chasing the red herring on tangents that may have no bearing on the results that are being asked of you.

Always try to keep perspective when performing your analysis, just because something did happen it may not be relevant to the investigation requested!

Tomorrow we have a pretty amazing Forensic Lunch try to watch live at noon CST so you can ask your questions!