Hosting Provided By

RE: Remnants of .. Wiping??

From: Donald Voss <voss(at)albany.edu>
Date: Wed Jul 02 2003 - 08:07:40 EDT

Mark,

I have made it a habit to use google when I happen upon a unknown file extension [.wip]

So a search with the string file extension .WIP is http://www.google.com/search?hl=en&ie=UTF-8&oe=UTF-8&q=file+extension+.WIP

We get a few pages of stuff, search in English only here .. Majority show .wip to be a windows installer file type when making install packages with visual basic .. Which might account for the sizes and the repeating random naming .. Someone kept making a package, adjusted it, made it again, etc. They just let the work area build up .wip files .. Hence the amount, naming, sizes.

Also wip is used as a work in progress .. But I would go with the installer material.

Crossed my mind that .wip might stand for some kind of wipe tool .. But the quick short search found no mention of that.

Good luck,

Do you need help?

/don

voss at albany.edu
Donald Voss
Systems Analyst
The University at Albany

"No matter how cynical I get, it is impossible to keep up" - Lilly Tomlin

-----Original Message-----
From: Mark G. Spencer [mailto:dreadnought@arsenal.net] Sent: Tuesday, July 01, 2003 2:22 PM
To: forensics@securityfocus.com
Subject: Remnants of .. Wiping??

(Posted to SF Forensics and CFID)

I've investigated cases involving the use of Evidence Eliminator and Z-Delete before and remnants of their installation were readily available. I'm working on a case now where I haven't found any obvious remnants
(eectrl.bat and registry entries for EE for example) and am looking for some
help ..

I have a system (Win32) with over 1.1 million files created on the same day. These files show up in EnCase as 0 bytes, deleted and overwritten. The filenames are all different, but appear to rotate in a methodical fashion. Three of the files show very large file sizes, between 500meg and 1gig and the only difference from the other million files (other than filesize being larger) is their extension, instead of being unique, are all .WIP.

Any ideas? I have not yet gone through the registry key by key, but have done quite a few sorts to try and find suspicious executables accessed on the date in question and have not yet found anything.

Thanks,

Do you need more help?

Mark

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Wed Jul 2 08:24:24 2003

This message: [ Message body ]
Next message: Gary L. Palmer: "Digital Forensic Research Workshop (DFRWS) - Notice"
Previous message: jan.muenther(at)nruns.com: "Re: Remnants of .. Wiping??"
In reply to Mark G. Spencer: "Remnants of .. Wiping??"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:44 EDT