Has anyone come across a large number of files named
tmpX.dkc
Where X can be a 1 through 4 digit number.
The files are deleted, but not overwritten. Physical and logical size is 0 bytes.
My gut instinct is that it is possibly due to a wiping utility but I need to find out what utility to confirm.
The only thing I can find for a .dkc file extension is that it belongs to Virtue Deskshow Compiler, whatever that may be.
Yeah saw that too but due to the fact that about 240,000 of 346,000 files exhibit this feature, "compiler" doesn't make sense.
Possibly the remnants of an anti-virus or adware scan?
What are the last access times associated with these files - do they fall within a similar time-frame?
Has anyone come across a large number of files named
tmpX.dkc
Where X can be a 1 through 4 digit number.
The files are deleted, but not overwritten. Physical and logical size is 0 bytes.
My gut instinct is that it is possibly due to a wiping utility but I need to find out what utility to confirm.
Given the naming convention, I'll assume that they are from a Windows system…what is the complete path? Which OS? Have you checked the file associations on the system?
Possibly the remnants of an anti-virus or adware scan?
What are the last access times associated with these files - do they fall within a similar time-frame?
For each file, their created, written and accessed dates are identical. All 240,000 files were created, last written and last accessed in a period of 156 seconds. For example
tmp0.dkc - created, written, accessed on 1/1/08 110000am
tmp1.dkc - created, written, accessed on 1/1/08 110001am
….
tmp8945.dkc - created, written accessed on 1/1/08 110035am
Given the naming convention, I'll assume that they are from a Windows system…what is the complete path? Which OS? Have you checked the file associations on the system?
Windows XP SP2. All files are located in the Encase virtual folder "Lost Files". No sub directories beyond that.
The system has no association for dkc files.
Greg,
With respect to EnCase "Lost Files", I found the following in the EnCase KnowledgeBase
"What is the Lost Files folder?
EnCase has a different method (compared to FAT) for recovering deleted files and folders with NTFS evidence files. When you add an NTFS Evidence file to EnCase, you will notice a folder added automatically to the evidence file in the case view called "Lost Files." In the MFT (Master File Table) in NTFS, all files and folders are marked as a folder or file, and are associated to a "parent."
Suppose you have a folder contain many files. Those files are its "children." For those files to become "lost," you delete them along with the folder itself. You then create a new folder. The entry in the MFT for the old folder is overwritten. So the original "parent" folder and its entry in the MFT are gone. But it's "children," while deleted, have not been overwritten, and their entries are still in the MFT. EnCase can then tell what those files are, but there is no longer any record of what folder those files were in. Because of this, all those files (without parent folders anymore) are lumped into the "Lost Files" folder that EnCase creates and places in the Entries view so that you can see those files."
From what you've shared so far with respect to the .dkc files, I'm curious as to relevance of the files, given that they are 0 bytes in size, but as you say, not overwritten.
I'm quite familiar with the purpose of the Lost Files folder, but thanks for making sure.
The files are of interest, not necessarily relevant. I was tasked with finding any evidence of deletion. The fact that 240,000 out of 349,000 files on the HD exhibit this behavior makes them of interest. Many wiping utilities that I have come across with either overwrite a file, set the file size to zero or mess with the cluster information stored in the MFT, then rename the file and finally delete it.
Found a copy of CleanUp! on the computer but I'm not sure yet if this app has caused these files to appear.
> Found a copy of CleanUp! on the computer but I'm not sure yet if this app has caused these files to appear.
Interesting. Too bad you're not able to provide more than just the name…it's something that I, and perhaps others, might like to try.