Notifications
Clear all

User forced Defrag

32 Posts
9 Users
0 Likes
2,545 Views
4n6art
(@4n6art)
Posts: 208
Reputable Member
Topic starter
 

Is there a way to tell when a hard drive was defragged by the user. I know XP has some kind of a limited defrag every 3 days or something, but I want to know if this user manually forced a defrag to occur.

Keydet posted a message a while back about UserAssistKeys. Will be looking at that.

Any other suggestions?

Thank you!
-=ART=-

 
Posted : 26/02/2010 1:19 am
(@bithead)
Posts: 1206
Noble Member
 

SANS is your freind
De-mystifying Defrag Identifying When Defrag Has Been Used for Anti-Forensics (Part 1 – Windows XP)

 
Posted : 26/02/2010 2:56 am
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Being picky, I would like to point out the conceptual error in the title of the (nice ) ) linked to article

De-mystifying Defrag Identifying When Defrag Has Been Used for Anti-Forensics (Part 1 – Windows XP)

There is NO way to determine if Defrag "Has Been Used for Anti-Forensics" there may be ways to determine if an user has used defrag, but not the scope it was used for, defrag is not an exoteric tool, it is a common tool normally used in routine maintenance of a PC.

jaclaz

 
Posted : 26/02/2010 6:02 pm
(@bithead)
Posts: 1206
Noble Member
 

^^Yea. But if SANS did not make security and forensics sound so cool they could not charge nearly as much as they do for training.

 
Posted : 26/02/2010 6:09 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I remember a C.S.I. episode when the investigators find in the suspect's flat, near his laptop a dustbin with in it the opened box of a software like "Professional hard disk clearing tool", probably this one
http//en.wikipedia.org/wiki/Happenstance_(CSI)

…in that case….

mrgreen

jaclaz

 
Posted : 26/02/2010 6:26 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

I think that the title is meant to address the question of whether defrag was run intentionally by the user, or as part of normal system maintenance, as is done by XP.

This is a very valid issue, as well…I've seen questions before asking about deletions that occur following a court order to preserve data. Given the date of the order, any access to the Add/Remove Programs Control Panel applet and/or Defrag/MMC could be construed as being in violation of that order.

Title aside, I would think that this is a very valuable piece, one that we should all be grateful for, rather than bashing an organization or their use of verbiage in a subject.

 
Posted : 26/02/2010 6:35 pm
(@bithead)
Posts: 1206
Noble Member
 

Title aside, I would think that this is a very valuable piece, one that we should all be grateful for, rather than bashing an organization or their use of verbiage in a subject.

My bashing comes strictly from training envy. They keep coming up with great classes, and I keep having to find extra dollars growing on the money tree to pay for it. That said, SANS does provide some great free webinars and is a great resource to the community.

 
Posted : 26/02/2010 6:48 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

I think that the title is meant to address the question of whether defrag was run intentionally by the user, or as part of normal system maintenance, as is done by XP.

Sure, but it could also have been started by the user with the intention of performing PC maintenance, that's the point I was trying to raise.

Once, through the methods illustrated in the article, you know that the defrag was intentionally initiated by the user, you have NO evidence whatsoever he/she was trying to hide anything, or that the user started the defrag for Anti-forensics purposes.

It is not only perfectly legal, but also perfectly normal to periodically defrag a hard disk, let's try not to infer something like

since there is evidence that defrag was manually started then the user had the intention of hiding info by performing Anti-forensic activities

that's all.

)

jaclaz

 
Posted : 26/02/2010 7:15 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

jaclaz,

I agree with you regarding intention…I guess I simply recognized that and didn't see the need to say anything against either the author or the organization.

 
Posted : 26/02/2010 8:36 pm
4n6art
(@4n6art)
Posts: 208
Reputable Member
Topic starter
 

Thanks Bithead!

I think, as has been pointed out, Counsel is trying to see if the user intentionally started a defrag to possible hamper the recovery of files from unallocated space.

SANS is your freind
De-mystifying Defrag Identifying When Defrag Has Been Used for Anti-Forensics (Part 1 – Windows XP)

 
Posted : 27/02/2010 9:41 am
Page 1 / 4
Share: