We have had to do an analysis of a system, wherein we used EnCase 6.13. Due to the complexities of the case, we were only able to retain reports exported from EC. Our time doing analysis was also very limited, so now we're working after the fact to try to consolidate our findings.
The file list shows multiple entries under Lost Files, wherein the entire file name is a string of the character 'z'. This ranges from zz upwards in the number of characters. Some file names are several strings of z (ie, zzzzzzz.zzzzzzz). Some file extensions are also a string of z (from 2 to 4 in length).
Has anyone seen this before?
If so (or if not), any ideas on a potential cause?
TIA,
LM
This may be an indication of file/disk wiping software. I would look for evidence of these types of programs.
That was one of the parameters of the investigation. We did review installed/uninstalled applications and came up with nothing.
We do know that someone ran regedit recently, and around the same time (same session) opened a command prompt. Could be indicative of some nefarious action, but certainly not conclusive.
In regard to wiping software, have you seen any that default to a file-name overwrite with z? Almost sounds like a Linux type of scenario…
LM
I have recently seen the same string in the file name of zzzzzzzzzzzzzz zzzzzzzzzzzz zzzzzz I did locate a program called "evidence nuker"
Look into CCleaner.
It could be it if I remember it uses Z's.
Hmm, I do certainly see very similar outcome by running CCleaner, thanks for that tidbit.
I'll look into Evidence Nuker as well.
Thanks!
LM
Could be sdelete
To overwrite file names of a file that you delete, SDelete renames the file 26 times, each time replacing each character of the file's name with a successive alphabetic character. For instance, the first rename of "foo.txt" would be to "AAA.AAA".
It runs from as a commandline exe, so you don't need to install it.