Hosting Provided By

Remnants of .. Wiping??

From: Mark G. Spencer <dreadnought(at)arsenal.net>
Date: Tue Jul 01 2003 - 14:22:13 EDT

I've investigated cases involving the use of Evidence Eliminator and Z-Delete before and remnants of their installation were readily available. I'm working on a case now where I haven't found any obvious remnants
(eectrl.bat and registry entries for EE for example) and am looking for some
help ..

I have a system (Win32) with over 1.1 million files created on the same day. These files show up in EnCase as 0 bytes, deleted and overwritten. The filenames are all different, but appear to rotate in a methodical fashion. Three of the files show very large file sizes, between 500meg and 1gig and the only difference from the other million files (other than filesize being larger) is their extension, instead of being unique, are all .WIP.

Any ideas? I have not yet gone through the registry key by key, but have done quite a few sorts to try and find suspicious executables accessed on the date in question and have not yet found anything.

Thanks,

Mark

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Wed Jul 2 07:35:23 2003

This message: [ Message body ]
Next message: jan.muenther(at)nruns.com: "Re: Remnants of .. Wiping??"
Previous message: Gary L. Palmer: "******* DFRWS Update *******"
In reply to: Tom Bowers: "Re: looking for EFS weaknesses"
Next in thread: Donald Voss: "RE: Remnants of .. Wiping??"
Reply: Donald Voss: "RE: Remnants of .. Wiping??"
Reply: jan.muenther(at)nruns.com: "Re: Remnants of .. Wiping??"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:44 EDT