I recently worked a case where the person in question had used a commercial anti-forensics tool namely Evidence Eliminator. The tool was configured for 'maximum' security settings with randomized overwrites 9 times. The ability to link him to the activities in question seemed bleak until I noticed that this personal firewall had logged all web activities & the sites in question.
So no residual artefacts on the PC to link him to the events, but the firewall log recorded all the sessions to the target server, cookies allowed, and also the URLs. It also recodrded the times of the sessions which corroborated the information on the website in question where certain sensitive files were being posted.
Based on the information in his firewall logs we were able to obtain co-operation from an otherwise security savvy, suspect, and later a signed confession. This case was treated as a civil matter - though I wonder if such evidence in the type of scenario would be strong enough for a prosecution?
Just a thought.
Good Work D
One thing that also is found a lot of times after an evidence eliminator install or uninstall is Robin Hood. That is the software maker and while searches come up dry sometimes on evidence eliminator, you can find entries of Robin Hood.
What was his personal firewall?
Hi armresl,
The personal firewall was symantec client security ver 3.0 - I need to do a few tests & check with other firewalls too, but I assume that Norton Internet security would have the same data - as they even look the same. Also I didnt look at his Windows Firewall - once I had found the data I needed- which in hindsight I should have.
Thanks for the tip on RobinHood.
Regards,