RE: Tracks covered pretty well...

From: J W (jweismannat_private)
Date: Tue Sep 04 2001 - 08:47:25 PDT

Next message: TAN Sze Yan: "Re: Hotmail Passwords"

Previous message: w_wolfeat_private: "Auditing for Linux"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Any idea on the name of the tool that was used or program you used to check
the files. I have seen programs able to write over the files and reorganize
them to take advantage of "slack space". Can you elaborate on any more of
your investigation and what steps you have undertook?



-----Original Message-----
From: Ed Shirley [mailto:thewthrmanat_private]
Sent: Thursday, August 30, 2001 4:27 PM
To: FORENSICSat_private
Subject: Tracks covered pretty well...


I have recently been working on a case where had
occasion to re-image a subject's machine and was
surprised to find that most of the provocative
material was gone without a trace this time.  I used
Encase to examine the drive.  I am used to seeing the
tracks left by wiping tools, and this appeared as
though they never existed.

When the some wiping utilities I have experience were
used, the filenames were usually intact, although the
content of the file was overwritten.  Is this because
the filename is listed in the master file table?  IS
the size also contained in this mft?  Is MFT not the
master file table?  Other utils I have seen scramble
or rename the files, but there are still files there
marked as deleted.

Anyway, this particular case has troubled me.  I am
not aware of a tool that could remove these files
previously marked as deleted without leaving some kind
of trace.  Are there any executables that I can look
for that would betray that some sort of scrubbing had
been used?

I take it very personally when someone attempts this
sort of thing, because they think they are smarter
than me.  This time it looks like they might be.

Ed

__________________________________________________
Do You Yahoo!?
Get email alerts & NEW webcam video instant messaging with Yahoo! Messenger
http://im.yahoo.com

-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management
and tracking system please see: http://aris.securityfocus.com



-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: TAN Sze Yan: "Re: Hotmail Passwords"
Previous message: w_wolfeat_private: "Auditing for Linux"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Sep 05 2001 - 09:56:24 PDT