Hi Jack (and curious listmembers!), I have been getting some emails regarding the filenames, so I put the compressed text files on a FTP server. If anyone wants to take a look, they are at: 208.179.248.80 User: ISIT Pass: Wiping? You will be dropped into the proper folder with the zip file. I spoke to Symantec and they didn't think the data I have was consistent with the use of Wipeinfo. I went down that road because I found an earlier tape backup of this particular machine and in slack space of various files found mention of Wipeinfo (and the rest of the Norton Utilities) having been installed at one point. In any case, I have the NU 2002 version and will test this for myself. Thanks for taking a look, Mark -----Original Message----- From: Jack Seward [mailto:jacksewardat_private] Sent: Thursday, July 10, 2003 7:21 AM To: Mark G. Spencer; forensicsat_private Subject: Re: More on possible remnants of wiping .. Mark, I am interested in looking at the text file you created, send it along to me. Since I am on vacation this week, I probably cannot look up some of the many programs I have for wiping. But one that does come to mind is from AccessData, DriveWipe. Next week I could give a look at this Mark if you can wait. Regards, Jack Seward ----- Original Message ----- From: "Mark G. Spencer" <mspencerat_private> To: <forensicsat_private> Sent: Wednesday, July 09, 2003 3:48 PM Subject: More on possible remnants of wiping .. (Posted to SF Forensics, CFID, and HTCC.) Since my last post regarding possible remnants of wiping I have performed additional review on the 19.1gb drive, and here's what I know: There are 1,127,971 deleted 0 byte files, all last accessed on the same day, dispersed through every folder of the hard drive. I'm using EnCase for this review, which reports each of these files as "File, Invalid Cluster, Deleted, Hidden, Archive." Also on the same day, there are 5 deleted files with the extension .WIP. Four of the files are 1,074,216,960 bytes in size, one is 535,478,272 bytes. These five files were located in the root of the C: partition. EnCase reports "File, Deleted, Overwritten, Hidden, Archive" for these five files. I have keyword searched the drive with terms I've had great success with in the past, such as "evidence", "wiping", "gutman", etc. No luck. In addition, I reviewed the event logs and registry and have found nothing of interest. I recently got a suggestion (Thanks Alan!) to search through the swap file to see if any unusual .DLL's were called. I'm going to check that out today. I'm hoping someone may recognize this type of activity as being consistent with a certain application? While it appears to be remnants of wiping activity, I'm not convinced that it certainly is. I have exported the filenames to a compressed text file if anyone is curious to see what they look like. Thanks for the suggestions! Mark G. Spencer Computer Forensics Examiner EvidentData, Inc. Web: http://www.evidentdata.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Jul 10 2003 - 11:07:14 PDT