I am currently working on a CP case involving over two thousand images and need some advice based on some evidence of wiping I have found. AOL and data wiping are new ground for me so any advice would be appreciated. Please bear with me and I'll try to explain the circumstances as best as I can. The OS is WIN XP SP2.
Although some images are saved on the drive, I have found most of them in temp Internet files and unallocated space. This case was brought to our attention by a computer repair business that was asked to repair the machine, so many of the last accessed dates of the files are of no use. When the machine was taken in for repair, the owner stated that there was pornography on the computer and claimed that a past roomate must have downloaded it from the internet, which makes the time frame(s) and user identity critical. There is a time gap between when the roomate had access to the computer and when the owner took the machine in for repairs. It appears that this machine was used for very little other than the Internet, and very little Internet use other than pornography.
AOL v9 was at one time installed and at some point removed. A number AOL files are still on the drive, including a number of files that contain text realting the the focus of the case. FTK refers to these as "AOL Textual Items", similar to newsgroup folders. In viewing these items with FTK the URL appears, along with a prefix of either "AOLHL" or AOLHP". What does this prefix refer to? I can find no AOL screen names, emails or any other information referring to an individual using AOL.
The user(s) also has Norton Ghost, Internet Security and Sustem works installed at a user defined location on the drive, not in Program files. I also don't find any references to Symatec or Norton anywhere under the user/profile folders under Docs and Settings. Each of the Norton folders are loaded with files that are unknown to me. Are any of these files of any use forensically? IE If I can determine that there was a lot of wiping activity that took place the day before the computer was taken in for repairs, that may be significant for the case.
Last but not least are registry entries that relate to Norton. Using FTK's regisrty viewer I found the following entries
….\New Folder\Stuff\Programs\nortonsystemworks\NU\NDD32.DAT
….\New Folder\Stuff\Programs\nortonsystemworks\NU\NDD32.NT
….\New Folder\Stuff\Programs\nortonsystemworks\NU\OPTWIZ.DAT
….\New Folder\Stuff\Programs\nortonsystemworks\NU\UE32.DAT
….\New Folder\Stuff\Programs\nortonsystemworks\NU\WINDOC.DAT
….\New Folder\Stuff\Programs\nortonsystemworks\NU\WINDOC.NT
….\New Folder\Stuff\Programs\nortonsystemworks\NU\WIPEINFO.DAT
….\New Folder\Stuff\Programs\nortonsystemworks\NU\WIPEINFO.NT
….\New Folder\Stuff\Programs\nortonsystemworks\NU\WIPINFNT.NT
None have any written times in FTK and I am unable to make any sense out of the entries, specifically the WIPEINFO entries.
I realize that this is a very general post, but I am looking for any advice on what else to look for, such as log files, that may help me identify a time frame on some of the wiping activity. Any help is greatly appreciated!!
I am currently working on a CP case involving over two thousand images and need some advice based on some evidence of wiping I have found. AOL and data wiping are new ground for me so any advice would be appreciated. Please bear with me and I'll try to explain the circumstances as best as I can. The OS is WIN XP SP2.
First off, let me say thanks and good job for providing the OS information up front. There are a good number of experienced folks who don't bother to provide that, and get offended when you ask them for it.
Some thoughts on some things that may help you with your search…
Examine the Internet history…I've used ProDiscover for this, b/c it's very simple and straightforward, but another option may be to mount the image of the drive with Mount Image Pro (if you've got only EnCase *.E01 files), or VDKWin, and then use WebHistorian from Mandiant to parse through the Internet History.
Image files need to be viewed using some kind of viewer, so check the NTUSER.DAT files for any and all profiles on the system. Start with things like the RecentDocs and UserAssist keys, looking for file extensions and names, and applications installed or launched, respectively. Also, for viewing applications that may have been used or run, check the Prefetch directory, as well…even though that's not user specific, it will still give you a timeframe. If the viewing application is something like Windows Media Player (ie, movies), then you may get lucky with MRU lists…the lastwrite time on the key tells you when the most recent file in the MRU list was viewed, giving you additional timeline info.
As far as the wiping activity, I'd look for the same sorts of things…UserAssist, Prefetch, etc.
HTH,
H
Hi Nick,
bit of a left field response but as you mentioned times being critical …
you could possibly deduce the user at the PC by using a timeline of other data which are exclusive to a particular user.
The defence " but anyone could have used my login as the password is blank/password/common-knowledge/was-already-logged-in" could be challenged if you find documents, such as personal hotmail accounts, or other documents that have been accessed in the same timeframe. These often can't be said that "another user could have logged in … as private loginspasswords and content are usually specific to an individual.
Another line may be to check if you can find evidence of subscription to other sites (porn) as loginpass may indicate a particular user, or if in slackspace / cache you find evidence of "Welcome to our website John Smith …. your subscription" etc …
iirc some plugins / progs can parse text for credit card formats. another paydirt hit.
wrt to the photo's maybe check the exif data.
It's a slight possibility that if the miscreant was using the PC to disseminate their own porn there may be details in the headers that indicate times and dates of photo's.
wrt the registry, hang around, its likely you will get some top drawer advice from certain individuals. i simply don't know enough in that arena to give any sort of authoritative advice.
btw what a well formed question, not many take the care to add the relevant detail.
Kern
edit re "hang around" keydet, ur just too darned fast )
Just a little update on my original post after looking into your suggestions. I've been swamped and haven't been able to follow all of your advice. And before I forget, thank you ,both Harlan and Kern for you response. Your responses in many of the other posts have been great help!
In looking at the Index.dat files I found a wealth of urls and dates but still have yet to find paydirt (subsctiption pages and webmail acounts) mixed in with the times frames of all the CP urls. I do still have a few more .dat's to look at.
This brings me to another question regarding Norton's wiping programs. Simply put I have never really spent time testing or playing with them at all. If I have plenty indicators that he/she/they have been wiping specifically within IE and AOL, why would there still be so many index.dat files with all the url info still intact? Could it be so simply answered by reasoning that every once in a while he/she/they just forgot to click the right buttons and wipe after a session?
Reagular expression searches for c card numbers and order acknowledgements have also been unfruitful, as have much of my string searches.
However, your advice on the UserAssist and RecentDocs keys may have really helped. I've got a lot to dig through yet but it may really help narrow the time down.
This brings up another question regarding the last write time. In the RecentDocs key I have a LWT of say 2/1/07. In the .wmv folder/key under the RecentDocs key I have a LWT time of say 1/1/07, and have only one entry in the .wmv list. Am I correct to assume that the .wmv file was viewed last on 1/1/07 and some other Doc was viewed after this causing the LWT for the RecentDocs LWT to differ? If so that helps narrow the time line down drastically.
The next problem I have is why the LWT of RecentDocs is 2/1/07 and the last windows logon time is say 5/1/07?
Thanks again for you help!
If I have plenty indicators that he/she/they have been wiping specifically within IE and AOL, why would there still be so many index.dat files with all the url info still intact? Could it be so simply answered by reasoning that every once in a while he/she/they just forgot to click the right buttons and wipe after a session?
I'm not sure what you mean by "wiping…within IE and AOL"…are you referring to doing things like flushing the cache? If so…this doesn't specifically delete the contents of the index.dat files, if memory serves.
This brings up another question regarding the last write time. In the RecentDocs key I have a LWT of say 2/1/07. In the .wmv folder/key under the RecentDocs key I have a LWT time of say 1/1/07, and have only one entry in the .wmv list. Am I correct to assume that the .wmv file was viewed last on 1/1/07 and some other Doc was viewed after this causing the LWT for the RecentDocs LWT to differ? If so that helps narrow the time line down drastically.
The LWT refers to the last time that the key was written to…writing can be modifying the contents of the key, such as adding a value, modifying a value or deleting a value. The LWT you reference *could be* the date that the .wmv file was viewed…but I would most definitely attempt to corroborate that by locating the viewing application (ie, Windows Media Player, RealPlayer, etc.) and seeing if there is a recent file list or MRU list of some kind.
The next problem I have is why the LWT of RecentDocs is 2/1/07 and the last windows logon time is say 5/1/07?
Again, it's a matter of understanding how artifacts are created or modified. To be honest, I'm not entirely sure that I see what the question is…
Harlan
I'm not sure what you mean by "wiping…within IE and AOL"…are you referring to doing things like flushing the cache? If so…this doesn't specifically delete the contents of the index.dat files, if memory serves.
Yep, thats exactly what I was referring to. There is such a consistent string of url's in the index.dat files, covering months, that I was wondering why. The AOL folders and "saved" folders are all wiped clean, along with lots of other folders, that I didn;t know if it was simply how Norton conducts the wiping process or if I missed something else.
The LWT refers to the last time that the key was written to…writing can be modifying the contents of the key, such as adding a value, modifying a value or deleting a value.
Again right on the money wrt what I was trying to figure out.
NickJG wrote
The next problem I have is why the LWT of RecentDocs is 2/1/07 and the last windows logon time is say 5/1/07?
Again, it's a matter of understanding how artifacts are created or modified. To be honest, I'm not entirely sure that I see what the question is…
My concern here is I have found almost no other activity on this computer, other than internet/pornography and music files. No word processing, very little games… etc. Am I seeing the time difference between LWT in the Recent Docs key and the last Windows write time because for a short unknwon time the computer was malfunctioning or are any of Norton's wiping programs altering the artifacts. I have less experience with Norton than I do with the registry.
Thanks again for your help!
P.S. I know people have said this a thousand times, but I have to buy your book, Harlan. Not just for the registry information, but that alone is worth the price of admission!
Yep, thats exactly what I was referring to. There is such a consistent string of url's in the index.dat files, covering months, that I was wondering why. The AOL folders and "saved" folders are all wiped clean, along with lots of other folders, that I didn;t know if it was simply how Norton conducts the wiping process or if I missed something else.
I guess there's still some kind of assumption that it was Norton wiping that occurred…is this correct?
My concern here is I have found almost no other activity on this computer, other than internet/pornography and music files. No word processing, very little games… etc.
I'm not sure that there's anything really unusual about that. I see very little overall activity on many systems, largely b/c the users seem to stick to a very few activities.
P.S. I know people have said this a thousand times…
And they'll keep saying, Nick. Seriously! I have no doubt in my mind that there are a great number of "investigations" (both corporate and LE-based) that get turned down every day/week and lead nowhere, simply due to a lack of significant corroborating data, and Registry analysis is never performed. I think I know what the issue is…the vast majority of folks out there doing investigations do not want to have to learn anything - they simply want a GUI with a "find all evidence" button. But that's impossible to create!
When I look at all of the cases where I've used Registry analysis…files have been deleted or wiped from a system, and due to a number of factors (defragging, etc.) nothing useful is retrieved from unallocated space. However, Registry analysis provided me with a wealth of information…download paths for P2P apps, files recently viewed, etc., etc. It's simply amazing that more people aren't looking to the Registry as a source of valuable forensic data.
H