In your opinions I am looking at a Windows XP computer and in the users recent folder I have approx 22 files that all look like the following
ZZZZZZZZZZZZZZ ZZ ZZZZZZZZZZZZZZ
The last accessed times for these files begin at 124521 and go down sequentially for about 7 seconds. This is all after a program called Evidence Nuker was created in the program files folder 5 minutes prior to the last accessed times in the recent folder beginning. Would those ZZZZZZZZZZ indiciate a wipe by the evidence nuker program?
That would be my guess. Set it up and see if it overwrites with "Z" by default.
A very quick and dirty way to check this would be to power the image up in a virtual machine. Load a copy of your forensic software of choice into it, use the 'nuker' program on its current settings on any folder of your choice, and preview the the result in the forensic software, see if the artefacts mirror what you are seeing/expected.
So you can illustrate your point with the fact that "using this software in its current configuration, upon a folder or set of files, results in …….." and compare that with your recent items.
Rich
Agree with Rich, works well.
A similar approach is a phantom device between the suspect drive and the original base unit and run the software accordingly. It is actually writing to the phantom device not the suspect drive but shows everything in a "live" environment.
Thanks for the replies I am going to attempt this in a virtual environment.
You could also look for prefetch files for that application in the date/time you point out. That would be a strong argument.
I have seen the ZZZZZZZZZZZZZZZZ pattern used by CCleaner when the secure delete option is selected.