The lab I work for was asked to tech review the work done at our county sheriff's department on an attempted homicide investigation. The deputy that conducted the computer forensic investigation ghosted the drive as part of his exam and went into the settings tab of Norton 360 and found the last deletion of internet history files, internet temporary files, Windows temporary files, and disk defrag. When we created a restored disk using EnCase and tried to go into the settings tab it alerted us that the subscription of Norton 360 was expired so the options were unavailable to us. As a result I have two questions Does anyone know where I could find this information in the registry using my evidence files? Or, does anyone know where I can remove the subscription date so that we can check these settings on the restored drive? I would normally take more time to look but this was a last minute tech review and they start the trial in early January so time is short. This is a bit of an issue for us because we now cannot replicate what the deputy has done, we need to find the dates these processes were last run. Thanks for any help in advance. If you don't feel comfortable posting the subscription date registry location on a public forum I will send you my government email address.
The deputy that conducted the computer forensic investigation ghosted the drive as part of his exam and went into the settings tab of Norton 360 and found the last deletion of internet history files, internet temporary files, Windows temporary files, and disk defrag.
This may sound stupid 😯 , but if you want to check what the deputy did, you need to do the same thing rather than "trust" the word by someone on a forum telling you which Registry key corresponds to the tab that the deputy supposedly saw.
I guess that it would be easier and more "accurate" to simply buy a renewal for Norton 360, (I guess that you can justify the expense of some 80 bucks) and replicate exactly the deputy's action or ask the Symantec Support if they can help you by giving an "official" statement (from the software producer) about the Registry key or supply you with a "temporary renewal".
jaclaz
Jaclaz,
I appreciate your input, and I don't mean to sound rude, but I'm not sure if you have worked for a government organization before. The amount of time it would take to have any expense over $30 approved by our immediate supervisor, the lab director, and the County Chief Fiscal Officer would be far longer than the week that we have left to complete our tech review. As far as seeking help from Symantec you can imagine that they are hesitant to give out that kind of information over the phone to someone who didn't previously purchase the product on that computer. As far as doing exactly what the deputy did - we are conducting a tech review and possibly testifying in regards to this case, we didn't ghost the drive because we don't have that as an approved method under our ASCLAD/LABS ISO accredidation. We did however create an exact restore using EnCase and loaded the drive just like the deputy did but like I said before the subscription had expired. I appreciate your insight but I was merely looking for someone who has done an exam on a machine with Norton 360 and had identified the registry locations for this program. Thank you.
Have you tried the log viewer?
Program Files\Common Files\Symantec Shared and then open ccLgView.exe
I'm a student, and I could (and probably am) be missing something here but my first thought was to set the "forensic" machine's system time to the date the deputy examined the original image then mount your image, to my simple mind this seems like it would trick norton and allow you the same access the deputy had on that date.
Please be gentle if I'm way off here, I'll be the first to admit I'm a newbie.
Jaclaz,
I appreciate your input, and I don't mean to sound rude,
No prob, you don't sound rude at all -), I feel for you.
Though being NOT involved in any "Public" or "Government" employment, I understand perfectly the limits and problems that you, like many other officers or however police connected technicians, encounter with bureaucracy.
At least in Italy, a defendant lawyer would simply demolish (and often this happens) a testimony by an expert that is forced to admit that he had no means to verify directly and by the same means the operation of a colleague, but had to trust the advise given on a specialized forum (if this data hopefullly comes out).
I am surprised that such a big (and at least theoretically reputable) company like Symantec has not a "preferential channel" for Law enforcement and connected technicians.
You will also understand how providing information about
Or, does anyone know where I can remove the subscription date so that we can check these settings on the restored drive?
would be morally and legally wrong, no matter the "good" end that could justify the means. ( (and no, Machiavelli never said that)
Another way that I would find appropriate would be the following
-create a dummy install
-install to it a trial of NORTON 360
http//
- open a few web pages
- take a snapshot of the Registry
- delete the temp files/caches through Norton 360
- check and take a snapshot of the settings tab
- take another snapshot of the Registry
- compare the two Registry snapshot, thus finding the relevant key(s)
- inspect the evidence image for the given Registry key(s)
I guess that this way everything would be "kosher".
jaclaz
…Norton 360 and found the last deletion of internet history files, internet temporary files, Windows temporary files, and disk defrag.
Do you know what these dates/values were? If so try mounting the reg files in Encase and doing keyword searches through them. You might get the Keys from that. Not sure if this really suits your needs though if you are trying to recreate what the Deputy did.
Also - crazy thought here, and forgive me if I am speaking out of turn as I don't work for anykind of government/LE organisation - can you just fork out the subscription cost of Norton yourself and then go through the pain of reimbursement later?
Jaclaz,
Thank you for the input, it is always good to converse with someone that forces you to think outside what you are accustomed to. However, removing registry values on a restored image of a drive for purposes of viewing reports from an application for an investigation is far from illegal; just as taking the necessary files from a suspect drive's application and copying them to your forensic machine in order to view a proprietary or rare file type through the original program is not illegal. This is so long as those files are then deleted at the conclusion of the examination and not used for further exams without a proper license.
As far as the defense attorney is concerned, if I am able to find the information that the deputy found through another means I simply have to explain my methods. Where I obtained my advice is rather irrelevant if I can show to the attorney and the court that the information I found was on the drive and all I did was trick the program into thinking it was still active so I could view log information. People post questions about cases on listservs and mailing lists everyday (not everyone can know everything about computer forensics).
The experiment you suggested may be what we will have to try.
Thank you for the advice.
ddewildt,
Thanks for the tip, we have tried other keyword searches for it but had overlooked checking for the actual date. Unfortunately the deputy viewed these dates through the program interface so we are unsure of the format the dates/times are stored. This is just a challenge though ). Thanks again.
Oh, and I have only heard horror stories from people at the agency who have thought a purchase was justified and put it on their own dime but ended up losing out in the end. No harm in the suggestion though.
Sleepy,
Thanks for the tip, we tried just that by adjusting the system time but with no success. Thanks for taking the time out to respond though.