[http://www.wotsit.org/]: "The Programmer's File Format Collection" is also reportedly good. Justin On Sat, Jul 05, 2003 at 05:10:03PM +0000, Kevin.M-CTR.Shannonat_private wrote: > > The following web site is a great resource for looking up file extensions. > If they do not have an extension definition, the visitor may submit a new > definition. > http://filext.com/ > > Kevin Shannon, > Email - Kevin.M-CTR.Shannonat_private > > > > > > > 'Donald Voss' <vossat_private> > 07/02/2003 07:07 AM > > > To: <dreadnoughtat_private>, <forensicsat_private> > cc: > Subject: RE: Remnants of .. Wiping?? > > > > Mark, > > I have made it a habit to use google when I happen upon a unknown file > extension [.wip] > > So a search with the string file extension .WIP is > http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=file+extension+.WIP > > We get a few pages of stuff, search in English only here .. Majority show > wip to be a windows installer file type when making install packages with > visual basic .. Which might account for the sizes and the repeating random > naming .. Someone kept making a package, adjusted it, made it again, etc. > They just let the work area build up .wip files .. Hence the amount, > naming, > sizes. > > Also wip is used as a work in progress .. But I would go with the > installer > material. > > Crossed my mind that .wip might stand for some kind of wipe tool .. But > the > quick short search found no mention of that. > > Good luck, > > /don > > ___________________________________________ > voss at albany.edu > Donald Voss > Systems Analyst > The University at Albany > > 'No matter how cynical I get, it is impossible to keep up' - Lilly Tomlin > > -----Original Message----- > From: Mark G. Spencer [mailto:dreadnoughtat_private] > Sent: Tuesday, July 01, 2003 2:22 PM > To: forensicsat_private > Subject: Remnants of .. Wiping?? > > > (Posted to SF Forensics and CFID) > > I've investigated cases involving the use of Evidence Eliminator and > Z-Delete before and remnants of their installation were readily available. > I'm working on a case now where I haven't found any obvious remnants > (eectrl.bat and registry entries for EE for example) and am looking for > some > help .. > > I have a system (Win32) with over 1.1 million files created on the same > day. > These files show up in EnCase as 0 bytes, deleted and overwritten. The > filenames are all different, but appear to rotate in a methodical fashion. > Three of the files show very large file sizes, between 500meg and 1gig and > the only difference from the other million files (other than filesize > being > larger) is their extension, instead of being unique, are all .WIP. > > Any ideas? I have not yet gone through the registry key by key, but have > done quite a few sorts to try and find suspicious executables accessed on > the date in question and have not yet found anything. > > Thanks, > > Mark > > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. For more > information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > > > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > > > > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Sat Jul 05 2003 - 09:08:28 PDT