CCleaner forensics ...
 
Notifications
Clear all

CCleaner forensics without INI files

Skywalker
(@skywalker)
Active Member

Hello everybody,

 

I suspect CCleaner was executed in a computer which hard drive's adquisition I am analyzing. The program was included in this registry's key: "Software\Microsoft\Windows\CurrentVersion\Run", so it seems Windows executed the program when the OS was started but the files are not deleted until two minutes and three seconds after the execution of CClenaer. It seems it was included in SOFTWARE hive to be executed because that key is modified AFTER the execution of CClener, so I think it was modified as an antiforensic action to overwrite the registry's key's last modification date.

 

I've analyzed the CCleaner instalation path and there are no INI files, so I think the user executed the clening manually by pressing "Run" button, after selecting the things he/she wanted to be deleted. What I desire to discard is that CCleaner started to delete things by itself after being executed by Windows and the user run it.

 

Thanks!!

Quote
Topic starter Posted : 24/07/2021 5:59 pm
Bunnysniper
(@bunnysniper)
Active Member
Posted by: @skywalker

I've analyzed the CCleaner instalation path and there are no INI files, so I think the user executed the clening manually by pressing "Run" button,

Forget the ini files. Check prefetch and shimcache for executions.

 

regards, Robin

ReplyQuote
Posted : 26/07/2021 3:47 am
Skywalker
(@skywalker)
Active Member
Posted by: @bunnysniper
Posted by: @skywalker

I've analyzed the CCleaner instalation path and there are no INI files, so I think the user executed the clening manually by pressing "Run" button,

Forget the ini files. Check prefetch and shimcache for executions.

 

regards, Robin

Thanks you for your response.

 

In fact, I did it, I have checked "Prefetch", but it is not conclusive. Files start to be modified or deleted almost two minutes after CClener's file located in the "Prefetch" folder is modified. I need to differentiate between CCleaner starting without cleaning execution and CCleaner execution by a user.

 

Also, I have turned the image into VDI and execute it by using VirtualBox. The result is that some files are modified and deleted but now, CCleaner's file located in the "Prefetch" folder is modified two minutes after these files are modified or deleted, so it seems CCleaner is executed by Windows after the files are modified or deleted.

 

So, in the evidence I have CCleaner is executed much before the files are modified or deleted and in my execution of the evidence, I have CCleaner is executed much after the files are modified or deleted.

 

Could it be a script or a bat file created ad hoc? How could I locate it?

 

It's a very difficult situation. Thanks.

 

This post was modified 2 months ago by Skywalker
ReplyQuote
Topic starter Posted : 28/07/2021 12:36 am
Bunnysniper
(@bunnysniper)
Active Member

@skywalker It seems you lost the overview 🙂

Never mind, happens to me, too. In these cases I go back to the roots and generate a timeline. Plaso has a dedicated prefetch parser for example and if you limit the time scale, the output might only be a few MB. Perhaps this makes the correlation of events easier. There might be some more timestamps and artifacts  you could have missed.

 

regards, Robin

ReplyQuote
Posted : 28/07/2021 10:04 am
minime2k9
(@minime2k9)
Active Member

You can determine this using USN Journals, you should see a modification of the prefetch file for ccleaner followed by a large number of deletions (and renames if wiping is used)

https://dl.acm.org/doi/10.1016/j.diin.2013.10.002

ReplyQuote
Posted : 28/07/2021 2:07 pm
JerryW
(@jerryw)
Member
Posted by: @skywalker

so I think it was modified as an antiforensic action

It may be worth remembering that whatever the user's intentions, CCleaner isn't an anti-forensic tool. It is used by 'billions' (based on claimed number of downloads) for perfectly bona fide reasons. There would be no reason to inbuild some deniability. I have reported its presence many times; it is what is, it may have got rid of some incriminating history records, it may not. It's presence or usage isn't really evidence of anything on its own.

ReplyQuote
Posted : 28/07/2021 4:29 pm
Skywalker
(@skywalker)
Active Member
Posted by: @minime2k9

You can determine this using USN Journals, you should see a modification of the prefetch file for ccleaner followed by a large number of deletions (and renames if wiping is used)

https://dl.acm.org/doi/10.1016/j.diin.2013.10.002

Hello. Thanks you for your answer and also for everyone's answer. I have deeply analyzed the prefrtch artifact and there is no correlation between the ccleaner prefetch's file modification and the modification and deletuon of files. The modification  and deletion of files start much after or much before than the modification and deletion of files, depending on the execution.

ReplyQuote
Topic starter Posted : 28/07/2021 10:08 pm
giandega
(@giandega)
Active Member

have you considered a portable CCleaner on a USB drive?

ReplyQuote
Posted : 03/08/2021 4:30 pm
Skywalker
(@skywalker)
Active Member

The situation now is as follows:

 

-I have turned the DD file into VDI and executed it several times by using Virtual Box.

-Sometimes, when I run the virtual machine (Windows 7), the information is cleaned and sometimes it is not cleaned, and sometimes CCleaner is executed and sometimes it is not executed (althought it is configured to be run in the Windows starting). Even, sometimes the information is cleaned but CCleaner is not executed. This can be seen by analysing the Prefetch and the $LogFile.

-When the information is cleaned, it is cleaned without any kind of synchronicity with the CCleaner execution. I mean, you can see the CClenaer execution in the Prefetch but files are cleaned several seconds (until 120 seconds) before or after the CCleaner's execution.

-When I uninstall CCleaner the information is never cleaned

 

I'm lost. Any ideas? Thanks everybody.

ReplyQuote
Topic starter Posted : 07/08/2021 12:23 am
boydg1
(@boydg1)
New Member

Hi There, 

 

VFC (virtual forensic computing) may be able to assist. this will create the image for you using the many years of experience building these types of OS. 

Best way to get in touch with MD5 ltd is via the following link. if you send them an email for the of Tom, he will be able to give you a full comprehensive demonstration which should show you how this software can help you. 

 

https://vfc.uk.com/contact

ReplyQuote
Posted : 10/08/2021 11:37 am
Share: