Is there a way to tell when a hard drive was defragged by the user. I know XP has some kind of a limited defrag every 3 days or something, but I want to know if this user manually forced a defrag to occur.
Keydet posted a message a while back about UserAssistKeys. Will be looking at that.
Any other suggestions?
Thank you!
-=ART=-
SANS is your freind
Being picky, I would like to point out the conceptual error in the title of the (nice ) ) linked to article
De-mystifying Defrag Identifying When Defrag Has Been Used for Anti-Forensics (Part 1 – Windows XP)
There is NO way to determine if Defrag "Has Been Used for Anti-Forensics" there may be ways to determine if an user has used defrag, but not the scope it was used for, defrag is not an exoteric tool, it is a common tool normally used in routine maintenance of a PC.
jaclaz
^^Yea. But if SANS did not make security and forensics sound so cool they could not charge nearly as much as they do for training.
I remember a C.S.I. episode when the investigators find in the suspect's flat, near his laptop a dustbin with in it the opened box of a software like "Professional hard disk clearing tool", probably this one
http//
…in that case….
mrgreen
jaclaz
I think that the title is meant to address the question of whether defrag was run intentionally by the user, or as part of normal system maintenance, as is done by XP.
This is a very valid issue, as well…I've seen questions before asking about deletions that occur following a court order to preserve data. Given the date of the order, any access to the Add/Remove Programs Control Panel applet and/or Defrag/MMC could be construed as being in violation of that order.
Title aside, I would think that this is a very valuable piece, one that we should all be grateful for, rather than bashing an organization or their use of verbiage in a subject.
Title aside, I would think that this is a very valuable piece, one that we should all be grateful for, rather than bashing an organization or their use of verbiage in a subject.
My bashing comes strictly from training envy. They keep coming up with great classes, and I keep having to find extra dollars growing on the money tree to pay for it. That said, SANS does provide some great free webinars and is a great resource to the community.
I think that the title is meant to address the question of whether defrag was run intentionally by the user, or as part of normal system maintenance, as is done by XP.
Sure, but it could also have been started by the user with the intention of performing PC maintenance, that's the point I was trying to raise.
Once, through the methods illustrated in the article, you know that the defrag was intentionally initiated by the user, you have NO evidence whatsoever he/she was trying to hide anything, or that the user started the defrag for Anti-forensics purposes.
It is not only perfectly legal, but also perfectly normal to periodically defrag a hard disk, let's try not to infer something like
since there is evidence that defrag was manually started then the user had the intention of hiding info by performing Anti-forensic activities
that's all.
)
jaclaz
jaclaz,
I agree with you regarding intention…I guess I simply recognized that and didn't see the need to say anything against either the author or the organization.
Thanks Bithead!
I think, as has been pointed out, Counsel is trying to see if the user intentionally started a defrag to possible hamper the recovery of files from unallocated space.
SANS is your freind
De-mystifying Defrag Identifying When Defrag Has Been Used for Anti-Forensics (Part 1 – Windows XP)