The following web site is a great resource for looking up file extensions. If they do not have an extension definition, the visitor may submit a new definition. http://filext.com/ Kevin Shannon, Email - Kevin.M-CTR.Shannonat_private "Donald Voss" <vossat_private> 07/02/2003 07:07 AM To: <dreadnoughtat_private>, <forensicsat_private> cc: Subject: RE: Remnants of .. Wiping?? Mark, I have made it a habit to use google when I happen upon a unknown file extension [.wip] So a search with the string file extension .WIP is http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=file+extension+.WIP We get a few pages of stuff, search in English only here .. Majority show .wip to be a windows installer file type when making install packages with visual basic .. Which might account for the sizes and the repeating random naming .. Someone kept making a package, adjusted it, made it again, etc. They just let the work area build up .wip files .. Hence the amount, naming, sizes. Also wip is used as a work in progress .. But I would go with the installer material. Crossed my mind that .wip might stand for some kind of wipe tool .. But the quick short search found no mention of that. Good luck, /don ___________________________________________ voss at albany.edu Donald Voss Systems Analyst The University at Albany "No matter how cynical I get, it is impossible to keep up" - Lilly Tomlin -----Original Message----- From: Mark G. Spencer [mailto:dreadnoughtat_private] Sent: Tuesday, July 01, 2003 2:22 PM To: forensicsat_private Subject: Remnants of .. Wiping?? (Posted to SF Forensics and CFID) I've investigated cases involving the use of Evidence Eliminator and Z-Delete before and remnants of their installation were readily available. I'm working on a case now where I haven't found any obvious remnants (eectrl.bat and registry entries for EE for example) and am looking for some help .. I have a system (Win32) with over 1.1 million files created on the same day. These files show up in EnCase as 0 bytes, deleted and overwritten. The filenames are all different, but appear to rotate in a methodical fashion. Three of the files show very large file sizes, between 500meg and 1gig and the only difference from the other million files (other than filesize being larger) is their extension, instead of being unique, are all .WIP. Any ideas? I have not yet gone through the registry key by key, but have done quite a few sorts to try and find suspicious executables accessed on the date in question and have not yet found anything. Thanks, Mark ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Jul 05 2003 - 07:15:41 PDT