Join Us!

Need help finding d...
 
Notifications
Clear all

Need help finding deleted program data.  

  RSS
pizzmor
(@pizzmor)
New Member

Ok, so here is my dilemma. I am working a case using FTK 3.3 on a 64 bit install of W7 pro. The guy I am investigating was an IT supervisor at my agency and has since resigned, so I don't have access to him in terms of another interview, so he had some skills above the usual user.

I was hitting the usual registry locations and found a regedit command in the runmru of the NTUSER.DAT file, so I know he was editing the registry before we were able to get his laptop out of his possession. He also cleared all of his temp. internet and other internet related cache locations, so that is a lost bit for me.

Now the accusation here is that he was converting native files to .pdf's that a contractor was supposed to have been converting and getting kickbacks from the contractor. I have located several .exe command files carved from unallocated space showing "xyzprogram.exe" and some associated .dll files, but not much else.

So I guess my question here is without knowing exactly what this guy did before we got to his machine, what else is there to find showing proof a program was installed and used for its specific purpose, which in this case was a .pdf conversion program.

Any and all help is appreciated. Thanks in advance.

Quote
Posted : 11/05/2012 4:29 am
Passmark
(@passmark)
Active Member

Can you get a copy of one of the PDF files from the contractor, or from E-mail?

Inside the PDF file there will be document meta data that will probably tell you which tool was used to create the PDF file. Would be even funnier if the PDF was signed. In some cases you can also get the name of the original source document.

Then you'll know what tool you are looking for. But note that newer versions of Word can directly create PDF files, as can the Chrome browser and several other apps. So maybe the tool used is in plain sight?

Once you know the tool used, you can setup a clean VM, install the tool, use the tool, uninstall the tool, then do a before and after comparison of the registry and the file system to work out what files are left sitting around. There are almost always files or registry entries left over after doing an uninstall.

ReplyQuote
Posted : 11/05/2012 9:31 am
kwokhong
(@kwokhong)
New Member

How about searching for install.log files? I'm not sure if this will be deleted after the user uninstall the program.

ReplyQuote
Posted : 11/05/2012 10:09 am
cedricpernet
(@cedricpernet)
Junior Member

Don't forget to check the Volume Shadow Copy, if it exists on the system.

ReplyQuote
Posted : 11/05/2012 11:57 am
pizzmor
(@pizzmor)
New Member

Fantastic, thanks all.

ReplyQuote
Posted : 11/05/2012 2:35 pm
keydet89
(@keydet89)
Community Legend

Ok, so here is my dilemma. I am working a case using FTK 3.3 on a 64 bit install of W7 pro. The guy I am investigating was an IT supervisor at my agency and has since resigned, so I don't have access to him in terms of another interview, so he had some skills above the usual user.

Okay, good stuff to know. More importantly, you included the OS being analyzed.

I was hitting the usual registry locations and found a regedit command in the runmru of the NTUSER.DAT file, so I know he was editing the registry before we were able to get his laptop out of his possession.

Within the same file (NTUSER.DAT) there is an Applets key, which will likely contain a subkey for RegEdit, which may contain a value that points to the last Registry key that the user accessed before closing RegEdit.

Within the HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit key, look for the "LastKey" value.

He also cleared all of his temp. internet and other internet related cache locations, so that is a lost bit for me.

Given what you're interested in, that may not be an issue.

Now the accusation here is that he was converting native files to .pdf's that a contractor was supposed to have been converting and getting kickbacks from the contractor. I have located several .exe command files carved from unallocated space showing "xyzprogram.exe" and some associated .dll files, but not much else.

When you say, "native files", what are you referring to?

One way to convert files to PDF is through the use of a PDF Printer, such as PrimoPDF.

So I guess my question here is without knowing exactly what this guy did before we got to his machine, what else is there to find showing proof a program was installed and used for its specific purpose, which in this case was a .pdf conversion program.

Well, there are couple of things available to you…

1. Look for installed programs, particularly via the Registry. RegRipper has a number of plugins available for this, in particular, uninstall.pl.

2. If you suspect that the user may have deleted programs from the system, then check the Registry hive files for deleted keys and values. One way to do this is using regslack, which I talked about on yesterday's SANS webcast. Another is TZWorks's yaru tool…it's graphical, but it indexes the hive file and will show you deleted keys that were recovered.

3. Since you're on a Win7 system, I'm more than just a bit surprised that you haven't checked the Jump Lists. One thing you could do is use JumpLister (from woanware.co.uk) to open each of the JumpLists in the automaticeDestinations directory within the user profile, and map each of the Application IDs (the first part of the file name) to the specific application. In my experience, these JumpLists are created and maintained by the system, and will persist even after the application is deleted or removed.

4. Given what you've said about the user's abilities, I'd consider searching for the use of a counter-forensics tool, such as CCleaner. I'd look in the user's NTUSER.DAT hive at the UserAssist subkey entries (via RegRipper), as well as in the Application Compatibility Cache key within the System hive (Mandiant just released a Python script to assist you with this).

5. I'd consider creating a timeline of system activity, starting with the file system metadata, and adding Windows EventLog data, Prefetch file metadata, Registry key LastWrite times (as well as specific values that contain time stamps), Jump List metadata, etc. I would then use anything and everything I found in steps 1 - 4 as pivot points from which to begin a detailed investigation of the timeline.

HTH

ReplyQuote
Posted : 11/05/2012 5:57 pm
pizzmor
(@pizzmor)
New Member

Thanks Keydet for the great response. I will try what you have suggested. I need to spend more time on here for sure. D

ReplyQuote
Posted : 12/05/2012 4:49 am
keydet89
(@keydet89)
Community Legend

So…what are the "native files"?

ReplyQuote
Posted : 12/05/2012 5:33 pm
jgarcia
(@jgarcia)
Junior Member

I'll go out on a limb and say that he meant either .doc, .xls, etc…….

ReplyQuote
Posted : 15/05/2012 9:49 pm
Share: