There are some 'wiping' type applications mentioned in the the registry of a standard Windows 9x installation. So the fact that you find them in a text search of the drive does not necessarily mean that these applications ever existed on a drive. On a case I worked on a while I go, I got all excited when I found these apps showing up as the result of a text search but alas found them all to be from: hkey_local_machine\system\current control set\control\session manager\checkbadapps This appears to be a list of applications which Windows checks for and finding these entries does not mean that these applications ever existed on the subject computer. Some of the applications found in this registry key are: Shred.exe Wipeinfo.exe Secure.exe > Hi Jack (and curious listmembers!), > > I have been getting some emails regarding the filenames, so I put the > compressed text files on a FTP server. > > If anyone wants to take a look, they are at: > > 208.179.248.80 > User: ISIT > Pass: Wiping? > > You will be dropped into the proper folder with the zip file. > > I spoke to Symantec and they didn't think the data I have was consistent > with the use of Wipeinfo. I went down that road because I found an earlier > tape backup of this particular machine and in slack space of various files > found mention of Wipeinfo (and the rest of the Norton Utilities) having been > installed at one point. In any case, I have the NU 2002 version and will > test this for myself. > > Thanks for taking a look, > > Mark > > -----Original Message----- > From: Jack Seward [mailto:jacksewardat_private] > Sent: Thursday, July 10, 2003 7:21 AM > To: Mark G. Spencer; forensicsat_private > Subject: Re: More on possible remnants of wiping .. > > > Mark, > > I am interested in looking at the text file you created, send it along to > me. > > Since I am on vacation this week, I probably cannot look up some of the many > programs I have for wiping. But one that does come to mind is from > AccessData, DriveWipe. > > Next week I could give a look at this Mark if you can wait. > > Regards, > > Jack Seward > > ----- Original Message ----- > From: "Mark G. Spencer" <mspencerat_private> > To: <forensicsat_private> > Sent: Wednesday, July 09, 2003 3:48 PM > Subject: More on possible remnants of wiping .. > > > (Posted to SF Forensics, CFID, and HTCC.) > > Since my last post regarding possible remnants of wiping I have performed > additional review on the 19.1gb drive, and here's what I know: > > There are 1,127,971 deleted 0 byte files, all last accessed on the same day, > dispersed through every folder of the hard drive. I'm using EnCase for this > review, which reports each of these files as "File, Invalid Cluster, > Deleted, Hidden, Archive." > > Also on the same day, there are 5 deleted files with the extension .WIP. > Four of the files are 1,074,216,960 bytes in size, one is 535,478,272 bytes. > These five files were located in the root of the C: partition. EnCase > reports "File, Deleted, Overwritten, Hidden, Archive" for these five files. > > I have keyword searched the drive with terms I've had great success with in > the past, such as "evidence", "wiping", "gutman", etc. No luck. In > addition, I reviewed the event logs and registry and have found nothing of > interest. > > I recently got a suggestion (Thanks Alan!) to search through the swap file > to see if any unusual .DLL's were called. I'm going to check that out > today. > > I'm hoping someone may recognize this type of activity as being consistent > with a certain application? While it appears to be remnants of wiping > activity, I'm not convinced that it certainly is. I have exported the > filenames to a compressed text file if anyone is curious to see what they > look like. > > Thanks for the suggestions! > > Mark G. Spencer > Computer Forensics Examiner > EvidentData, Inc. > Web: http://www.evidentdata.com > > > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. For more > information on this free incident handling, management and tracking system > please see: http://aris.securityfocus.com > > > > ----------------------------------------------------------------- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ----------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Mon Jul 14 2003 - 05:38:58 PDT