Possible remnants of wiping .. Solved!

From: Mark G. Spencer <mspencer(at)evidentdata.com>
Date: Mon Jul 14 2003 - 17:44:30 EDT

Over the last couple days I had been running some wiping applications against dummy images and reviewing the remnants they left behind. Some looked very close (BCWipe) but none looked close enough for my satisfaction.

After combing through the registry (again), I noticed a reference to "East-Tec" .. Turns out East-Tec has a product called "Eraser 2003." There were very few remnants containing "East-Tec" or "Eraser" on the suspect's hard drive (shelliconcache, ntuser.dat), but enough to know that it was at one time installed.

I ran Eraser 2003 against my dummy image and reviewed the drive. There were a series of deleted .WIP files with 1gb+ file sizes, the sum of which was nearly equivalent to the free space on my dummy drive. Going back to the suspect drive, I see the .WIP files correspond to the suspects free space in the same fashion.

I have submitted the .WIP file extension information to www.filext.com in the event anyone else runs into this.

On a side note, the Initialize Case EnScript for EnCase came in useful here as well. Taking a quick look through the registry keys this script mounts resulted in finding drivers installed for two different USB devices I had not known about earlier. I wouldn't be surprised to find Eraser 2003 on one of them, if I ever find the devices. ;)

Mark G. Spencer
Computer Forensics Examiner
EvidentData, Inc.
Phone: 909.948.7714

Direct Fax: 508.256.0463
Office Fax: 909.948.4365
Web: 
http://www.evidentdata.com   



-----------------------------------------------------------------

This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Mon Jul 14 18:17:30 2003