More on possible remnants of wiping ..

From: Mark G. Spencer <mspencer(at)evidentdata.com>
Date: Wed Jul 09 2003 - 15:48:56 EDT

(Posted to SF Forensics, CFID, and HTCC.)

Since my last post regarding possible remnants of wiping I have performed additional review on the 19.1gb drive, and here's what I know:

There are 1,127,971 deleted 0 byte files, all last accessed on the same day, dispersed through every folder of the hard drive. I'm using EnCase for this review, which reports each of these files as "File, Invalid Cluster, Deleted, Hidden, Archive."

Also on the same day, there are 5 deleted files with the extension .WIP. Four of the files are 1,074,216,960 bytes in size, one is 535,478,272 bytes. These five files were located in the root of the C: partition. EnCase reports "File, Deleted, Overwritten, Hidden, Archive" for these five files.

I have keyword searched the drive with terms I've had great success with in the past, such as "evidence", "wiping", "gutman", etc. No luck. In addition, I reviewed the event logs and registry and have found nothing of interest.

I recently got a suggestion (Thanks Alan!) to search through the swap file to see if any unusual .DLL's were called. I'm going to check that out today.

I'm hoping someone may recognize this type of activity as being consistent with a certain application? While it appears to be remnants of wiping activity, I'm not convinced that it certainly is. I have exported the filenames to a compressed text file if anyone is curious to see what they look like.

Thanks for the suggestions!

Mark G. Spencer
Computer Forensics Examiner
EvidentData, Inc.
Web: http://www.evidentdata.com

---

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Wed Jul 9 19:56:31 2003