(Posted to SF Forensics and CFID) I've investigated cases involving the use of Evidence Eliminator and Z-Delete before and remnants of their installation were readily available. I'm working on a case now where I haven't found any obvious remnants (eectrl.bat and registry entries for EE for example) and am looking for some help .. I have a system (Win32) with over 1.1 million files created on the same day. These files show up in EnCase as 0 bytes, deleted and overwritten. The filenames are all different, but appear to rotate in a methodical fashion. Three of the files show very large file sizes, between 500meg and 1gig and the only difference from the other million files (other than filesize being larger) is their extension, instead of being unique, are all .WIP. Any ideas? I have not yet gone through the registry key by key, but have done quite a few sorts to try and find suspicious executables accessed on the date in question and have not yet found anything. Thanks, Mark ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed Jul 02 2003 - 04:21:26 PDT