Hi guys, first post - nice to be around here!
I am currently handling a case where I need to determine whether a certain computer was used for playing online poker. Any evidence will be helpful, including browser activity or history of installed poker software.
Now, I wanted to start by saying that I am absolutely no specialist in the field of digital forensics; this is the first time I've ever done this and the only reason I'm responsible for it is that I'm the only person who knows stuff other than how to use Office Word and print documents. )
System Windows 7 Ultimate (x64)
I've done a lot of research and checking online before coming to these forums. Here is what I've done so far
1. Seems there is no browsing history at all; the browser used is Google Chrome, and it seems that CCleaner and Temporary File Cleaner was used to wipe everything, and a free disk space wipe was performed (based on CCleaner settings, it seems to be 7 passes.) Maybe there is some other place to look for history?
2. No RAM dumps - the computer was turned of for the whole night before it was handed over to me.
3. There is no paging file (disabled,) No hibernation file (disabled,) no system restore points (disabled.)
4. No MUI cache to tell if poker software was used.
5. No prefetch files.
6. No event logs.
7. No memory dump file.
This is all I've done so far, I'm sure there is a lot more for me to check. I'd be really grateful for some help!
Thank you,
Mark
What software are you using to investigate?
None unfortunately; I'm doing everything 'manually,' downloading software as is needed on the fly. Is there any software you would recommend for this case? Preferably freeware, or a trial.
hasek,
Maybe a way to approach this is as follows…how have you determined all of the information in your original post?
Thanks.
Hi Keydet,
Here we go
- RAM dumps I know for a fact that the computer was off for about 12 hours before being handed to me, so I didn't even check for dumps.
- I didn't find the paging file on the drive and I can see it is disabled in the control panel. Same for hibernation file.
- I tried to restore the system to a former state but no image was found. Then I checked the settings - backups were turned off.
- Used MUI Cache View to check MUI cache - it was empty.
- Checked event log - it was completely empty. I also found a .bat file on the desktop which I'm positive is used to clear the event log.
- No prefetch files in the Windows/Prefetch directory (viewing hidden files of course.)
- Memory dump file disabled in settings, no file on hard drive.
- CCleaner has a lot of non-default settings, so I assumed it was regularly used.
Oh and I tried to run a file recovery tool and found absolutely nothing of interest.
Hi Keydet,
Here we go
- RAM dumps I know for a fact that the computer was off for about 12 hours before being handed to me, so I didn't even check for dumps.
- I didn't find the paging file on the drive and I can see it is disabled in the control panel. Same for hibernation file.
- I tried to restore the system to a former state but no image was found. Then I checked the settings - backups were turned off.
So, you booted the system and logged in?
- Used MUI Cache View to check MUI cache - it was empty.
Did you run this from the user account presumably used to play poker?
Hi Keydet,
Correct, I booted and logged in.
As for the MUI Cache view; I tried it in both the Administrator account as well as the "regular" user account - same result.
Unfortunately with you accessing the PC this way, chances are, anything you find will now have new time and dates from when YOU accessed it, not the person who was doing the pokering!
Ideally you want some kind of forensic software, but I doubt by the sounds of it that you will be provided with £££s worth of EnCase. Your best bet is to remove the HDD if you can and down load FTK Imager from the web (its Free). It might let you see some deleted files if there are any there. Probably your best bet for a cheap quick look at a system without modifying anything (but I think thats too late now)
Hope this helps
Regarding the issues that @4Rensics pointed out…I doubt that the artifacts of playing online poker would be overwritten unless the OP used the same method to play the poker as the user had allegedly done.
However, the method of access does affect what may be found. It sounds as if most of the Windows "anti-forensics" capabilities have been disabled, to some degree…but at the same time, a number of forensic resources may have been impacted by the use of CCleaner.
At this point, I'd suggest doing the following
1. Stop any work while logged into the system.
2. Locate a resource where an image can be saved, and use FTK Imager to create a DD image of the system (albeit live).
3. Use available tools to perform Registry analysis, looking for UserAssist subkey entries, the existence of gaming/poker software having been installed, etc.
HTH