What was wiped? Part 1

Hello again Reader,

I've actually put an appointment on my calendar now to remind me to blog, let's see if reminders will ensure regular posts.This is a short beginning for part 1 to insure I meet these weekly updates.

Many times when you are working an investigation the question of spoliation will come up. In the most obvious scenarios of spoliation a suspect will use a tool that will to some extent wipe out his tracks. These tools come in three flavors:

1. Whole disk wipers: It's fairly obvious when this happens, though some suspects may tell you it's just encrypted. If they say that ask them what program they used to encrypt it and to please hand over the key.

2. File/directory wipers: If someone were to run a program such as bcwipe or eraser to delete files or directories the first thing these programs do is rename the file to prevent you from recovering what file was deleted. So if your suspect wiped 1,000 files you would find 1,000 randomly named files all seeming modified within seconds of each other on the disk from a different date. After renaming the file, it sets the time and after overwriting the contents of the file it sets the size to 0.

Here is a ftk imager view of a directory named temp with some random new files made:

Here is the same directory in ftk imager a second after wiping:

"How long these file stick around seems to vary by the file system. In older cases I found them months after the fact but on my Windows 7 system that I'm running ftk imager doing a view of my local physical drive some random files disappear in a couple seconds, which accounts for why we don't see 7 random files. " *This isn't exactly true, please see the update below* This wipe was done using bcwipe, the behavior of what wipers leave behind and how it runs on each OS and file system sounds like a good post for me to work on.

In part 2 we will go into system cleaners like CCleaner and some research into what they leave behind.

Update:

Looks like my disappearing wiped files are not a product of a different version of windows or the file system, it was the windows write cache. I made a couple of new files before and just wiped them immediately after, looks like they didn't actually get committed to the disk before I wiped them and thus would not be around afterwords.

To test this I downloaded a random set of source code from sourceforge, extracted it to a directory and then rebooted to make sure everything was flushed.

After rebooting I wiped seven files from a directory in the source tree and got seven wiped entries as expected:

As you can see, seven randomly named files all again with the date of 4/30/1986 and the time 11:43am. I guess this goes back to my last post, if something seems wrong double check your assumptions.

When I wipe the entire directory tree it then appears as an orphaned directory with all of the directory names and file names changed again to random letters with the same date as we saw before, except for the directories which remain the correct date (these times are in UTC so the date appears as 1/20/11):

Tweet

New blog design

Happy Sunday,
hope you enjoy the new blog design as much as I do. I've added some facebook/twitter buttons as well to make things easier for those of you already sharing, thanks btw. Looking for the next blog to be up Tuesday.

Tweet

What are you missing?

Hola Readers,
Every image is a special snowflake in regards to what software you find installed. There are times though when an investigator, myself included, gets comfortable as to what to expect and what they believe their tools are already doing for them. I had such an occasion last month when I found an image where the user was using Google Chrome as their browser. The case this was for is now settled and there was no public disclosure of my involvement in any form of declaration/affidavit/report so I will not be identifying the parties.

I was the second person to review the image at the time and we were looking to recover communications between our suspect and other parties around the time of his departure from his then current employer. What was suspiciously absent in our first round of reviews was a lack of web activity being reported from our standard tools. When this happens three things come to my mind for sanity checking:

1. When did the user profile I am looking at get created?
If this is a new system and I got handed it a couple days after the suspect started using it maybe what I'm seeing is correct. In this case, no the system had been in use for at least a year.

2. Is there any indications of popular 'cleaning' or wiping software being used?
Running through the user assist records, lnk files to no longer existent sources or other artifact sources that no longer show data after a consistent date are all signs of this. I will write another blog post about detecting what/when something was cleaned. In this case everything else was in place as it should be.

3. What other programs are installed? Am I missing something?
A quick look through the program files folder and user assist should be done at this point, is there something being used here that you hadn't dealt with previously. The user in this case had IE and firefox installed on his system so I didn't think to check for yet another web browser.


So I took a look through the keyword hits coming from his personal email address and noticed for the first time that they were contained within Chrome SQL Lite databases. Prior to this point I had not extracted the history files for a Chrome user and began a round of google searches to determine how to proceed.

While Google Chrome does make use of SQL Lite databases, basically flat files that contain a database structure that can be used like a relational database without the overhead, I didn't want to manual string together queries. I found two pages that helped me reach the evidence I needed.

The first located on the SANS blog provided me the information I needed regarding the structure of where the files should exist and what files I was most interested in. If I was looking to use log2timeline I could have stopped there, but I already have a license of NetAnalysis so I went to their site next.

Luckily for me in version 1.52 was announced in my inbox on 12/11/10 and now included Google Chrome support. So utilizing the information from the SANS blog I exported it to NetAnalysis for parsing and came up with all of the webmail usage I was expecting.

So the next time you don't find what you are expecting try my three steps and see if there is something you are missing.

If you know of a tool that supports Google Chrome histories besides log2timeline and NetAnalysis please comment or email with it.

Tweet

Happy New Year and new Federal Civil Procedure Rules Year

Hello Readers,
Since I last so optimistically posted that I would resume blogging in 2010 I had no idea what the first year of a child's life meant for a new parent. I am making a commitment in 2011 to begin regularly posting again and I hope you will believe me and choose to follow along.

In 2010 news I did speak at HTCIA 2010 in Atlanta this year on forensic cases studies from some of G-C's greatest civil cases.

In 2011 news I will be speaking at CEIC 2011 http://www.ceicconference.com on outlook web access forensic analysis. I've been asked to make it a lab so if you are going to CEIC I hope you sign up and learn about what I've learned about OWA analysis in 2010 as it relates to Exchange 2003/2007/2010.

I plan to try to speak more often in 2011 so if your conference is looking for a speaker let me know.

In civil expert witness news I am very happy to join the chorus of other legal commentators to praise the change in the federal rules of civil procedure for expert disclosures. The rule took effect December 1, 2010.

You can read more about it here and here but the jist of it is that emails and drafts of documents exchanged between lawyers and experts is no longer discoverable unless it contains information regarding compensation or information that leads to an opinion. This will make mine my life considerably easier and I hope yours as well.

Tweet