I'm working on an investigation where Shred 3 was installed, ran and deleted. Has anyone successfully tracked down activity logs or artifacts that show when this application was used and the files/directories shredded?
Respectfully,
Jon Rowe
jon.rowe@pinpointlabs.com
I've successfully tracked down activity of the user using other applications, such as Cain and Abel, etc., through analysis of the Registry, and specific artifacts within the file system.
Beyond that, I guess the questions I would ask would be (a) what OS was it run one, and (b) does the application maintain activity logs at all? Artifacts are easy…
Answers to your questions
a) Windows XP
b) Still researching
I haven't located any information on Shred 3 log or dat files. I have scanned the drive and reviewed the hits in the registry, prefetch and reviewed the event logs.
I haven't ran across anything that appears to be a deleted job file or found any date specific information thats useful. My next step would be to install and use the application on a test job and track its behavior, dependencies and data structures. If I find Shred 3 is writing the information to a file I should be able to scan the drive for previous records or attempt to recover the deleted 'log' file.
Respectfully,
Jon
jon.rowe@pinpointlabs.com
I wanted to provide an update for those following the thread. I was able to gain a last accessed (embedded) time from a shred3.exe prefetch file. I used Winhex to recover prefetch files and in the 389 recovered was a shred3.exe which I used to determine the runs and embedded time.
I'm still going to review the userassist values and setup a VM at some point to see if I can locate any log or settings Shred3 uses. The news from one of the ZD tech support reps was that Shred 3 doesn't store job related information for 'obvious' reasons but I'm too curious to stop there.
I appreciate everyones assistance. I'll keep you posted if I find out anything else of interest.
Respectfully,
Jon
I used Harlan Carvey's RegRipper to extract the UserAssist data from the ntuser.dat hive. It worked GREAT and I was able to identify several artifacts leading up to the time the custodian returned the laptop.
My client was very pleased with the additional details. I had tried a couple other methods to get to the UserAssist contents and experienced some issues. RegRipper did the trick and Harlan has of great assistance during this investigation. I highly recommend his book, 'Windows Forensic Analysis' and blog, 'Windows Incident Response' http//windowsir.blogspot.com/.
Thanks Harlan!