I have been recently been reviewing a drive image in Encase and noted that in the recycle bin there is a folder called Evidence Eliminator. In the the description field it states "Folder, Deleted, Overwritten".
Does anyone have information on how Evidence Eliminator works and if so if there is any suggestion on what to do next ?
I have looked at the files that I believe were deleted and overwritten with hex editor and have not detected any kind of pattern that has been written to the hard drive.
cry
Does anyone have information on how Evidence Eliminator works and if so if there is any suggestion on what to do next ?
What are the goals of your exam?
So far, you mentioned some things that you've found, but what are the goals of the exam itself? Are you trying to show that EE was used?
The goals of my exam are 2-fold.
(1) show if Evidence Eliminator was used
(2) be able to explain how the evidence was removed…I need to be able to explain when EE was run how it in fact deletes and overwrites the files.
I know that the possibility of recovery of data at this point is slim, as the data has been overwritten.
(1) show if Evidence Eliminator was used
This goal is pretty trivial, and may be dependent upon the version of Windows that you're analyzing. Data such as Prefetch files, UserAssist, AppCompatCache, and MUICache entries can tell you *if* it was used, as well as when and by whom.
(2) be able to explain how the evidence was removed…I need to be able to explain when EE was run how it in fact deletes and overwrites the files.
This will most likely take some work outside of the acquired image; specifically, a literature search followed by testing and validation on your part.
Thank-you for your assistance keydet89.
One last question, if I were to run Regripper would this tell me if it were run since UserAssist write to the registry. (Would it require a specific plugin ?)
Again thanks for the info you have provided.
One last question, if I were to run Regripper would this tell me if it were run since UserAssist write to the registry. (Would it require a specific plugin ?)
Yes, you would need to run the userassist.pl plugin.
Several years ago I had a copy of that software and I had regmon and another program hooked up to go through the install process.
EE is very very thorough in removing traces of itself, at least it was several years ago. All I managed to find was a reference to "Robin Hood Software" which is who makes the product.
I'd give a go at that search string, LIVE search, GREP search, etc.
The company used to write updates on how they were defeating people who work in "the business"
This would be a good time for people who have had luck resurrecting artifacts from EE to lay out what they have found.
