Hello, I'm working on an investigation for a client who is being sued for downloading copyrighted material using Utorrent. I am trying to prove whether or not they did or did not do this. I have not found any evidence they downloaded any files using Utorrent during the timeframe of being accused. But I have found evidence they used a program called Eraser ver. 6.0.8.2273 shortly after receiving the lawsuit papers.
I'm trying to find out if you guys know what kind of artifacts can be found after using this program or programs like it.
Any help would be greatly appreciated. If it helps the OS in question is Windows 7.
Thanks.
Greetings,
On a tangent, you or the client's lawyer might want to look up "Duty to Preserve".
"The duty to preserve materials arises when a party acquires notice or should know that the materials are relevant to an existing litigation or investigation, or to reasonably anticipated future litigation or investigation."
Failing to preserve can have serious legal repercussions.
-David
Drew,
I'm not familiar with that application, but you will likely find artifacts of the use of the application on the system, particularly in the user's UserAssist key.
Also, as it's Windows 7, I'd strongly recommend mounting any VSCs created prior to the installation of the software and looking at the available files.
Drew, you're representing the defendant being sued by RIAA MPAA, etc. ?
Eraser - is that Heidi software's product? Or East-tec Eraser? Or A N Other?
If Heidi (single-purpose wiping tool), then if it's been used On-Demand to erase files and/or Recycler and/or Free Space, even on single-pass, my experience (with an earlier version) is that no data files will remain.
You might be lucky and find "schedlog.txt" which is created by Heidi's Eraser, if so it may give you some info re when Eraser was run, but not what was wiped.
Otherwise, I agree with all other comments about UserAssist and VSCs.
If it's East-Tec Eraser (multi-purpose tool akin to CCleaner) then the same applies re wiped data files but from a brief encounter I had last year (but didn't get around to doing and documenting empirical testing) then the app may have stored a lot more info on what the configuration settings were as well as a log history of when it was run.
HTH
Thanks for all the replies.
Kovar
Thanks I'll definately pass that on to the client.
Keydet89
I'll look at the user assist keys for sure. Haven't thought at looking at the shadow copies, have a good tool to recommend for this? Shadow explorer?
armresl
Yes, I am representing the defendent. But they are not being sued by RIAA or MPAA, they are being sued directly by the production company.
Cults14
Yes, the Eraser used is Heidi's. I'll look for that file, i did find a tasklist file, that has some entries pointing to utorrent, but its hard to make much sense of them.
Again thanks for all the responses thus far.
Keydet89
I'll look at the user assist keys for sure. Haven't thought at looking at the shadow copies, have a good tool to recommend for this? Shadow explorer?
Go to my blog and search for vhdtool…
To follow along David's question…have you been listed or disclosed as an expert on this matter to the plaintiff?
But I have found evidence they used a program called Eraser ver. 6.0.8.2273 shortly after receiving the lawsuit papers.
I'm trying to find out if you guys know what kind of artifacts can be found after using this program or programs like it.
Have you acquired an image of the drive? I get the sense you may not have one.
Anyway, wipe utilities do leave a trace. I can speak of Eraser artifacts analyzed with Encase. Eraser leaves a very distinct fingerprint false $MFT records, random filenames in the Lost Files folder.
The last time I examined a computer on which Eraser had been used, it had wiped the files and the MFT entries, but left the entries in the $I30's, so you may be able to piece together a few filenames and dates from those.