I have recently been working on a case where had occasion to re-image a subject's machine and was surprised to find that most of the provocative material was gone without a trace this time. I used Encase to examine the drive. I am used to seeing the tracks left by wiping tools, and this appeared as though they never existed. When the some wiping utilities I have experience were used, the filenames were usually intact, although the content of the file was overwritten. Is this because the filename is listed in the master file table? IS the size also contained in this mft? Is MFT not the master file table? Other utils I have seen scramble or rename the files, but there are still files there marked as deleted. Anyway, this particular case has troubled me. I am not aware of a tool that could remove these files previously marked as deleted without leaving some kind of trace. Are there any executables that I can look for that would betray that some sort of scrubbing had been used? I take it very personally when someone attempts this sort of thing, because they think they are smarter than me. This time it looks like they might be. Ed __________________________________________________ Do You Yahoo!? Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger http://im.yahoo.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Sep 04 2001 - 10:31:16 PDT