So i am noticing a flash drive is plugged in but no entry in Setuapi.dev.log, in fact no Setuapi.dev.log.
Possible deletion between shadow copies…
Possible deletion between shadow copies…
Yea just noticed C Cleaner
Deltron,
CCleaner is a tricky beast to deal with as it does not create an external log of activities by design.
1) LNK File Analysis to Determine Last Run Date & Time
I recommend analyzing the metadata of any LNK files (CCleaner.lnk Desktop Shortcuts) pointing to the CCleaner application executable to determine the last time a user of the computer ran CCleaner.
2) NTUSER.DAT Analysis to Determine the Number of Times CCleaner Was Run
The registry entry (encoded in ROT13) for CCleaner will show the number of times CCleaner was executed. OSForensics's Registry Viewer is one tool that can allow such analysis.
3) CCleaner can Delete Volume Shadow Copies
Once you have mounted the forensic image file of the computer being investigated, use a command line prompt to run the following command “c\>vssadmin list shadows /for=k” (You will need to change the "k" value to whatever volume letter your forensic image file was mounted as).
This command will provide you with a list of Volume Shadow Copies currently existing on the forensic image file. Normally one should see up to 64, I believe, Volume Shadow Copies, depending upon the version of Windows you are investigating (please research the 64 number).
If you do not have 64 Volume Shadow Copies, it indicates that a user of the computer deleted the VSCs.
4) Confirm if Volume Shadow Copy Creation is currently turned on.
The below example has a Data value of (0) meaning VSC creation is turned "on". A value of (1) means the service is turned off.
Microsoft\Windows NT\CurrentVersion\SystemRestore\Setup_Last
File Drive-K\Windows\System32\Config\SOFTWARE
Timezone GMT -500
Last Write Time 9/30/2008, 559 PM
Values
Name Generalize_DisableSR
Type REG_DWORD
Data 0x00000000 (0)
5) Analyze the Windows Event Log file "Application.evtx" to determine how many system restore points (VSCs) were created.
You may see that 150 VSCs were created and the time/date each one was created in the Application.evtx log file.
CONCLUSION
Using the above analysis steps, one may be able to determine if Volume Shadow Copies were created by a given system and then subsequently deleted by a user of the computer. Although there is no external-to-CCleaner log file one can analyze to recover evidence of a user using CCleaner to delete Volume Shadow Copies, a reasonable inference can be made based upon the fact that the Application.evtx log file recorded the creation of multiple VSCs, that VSCs are missing from the system, and that VSC creation is currently turned on, that a user of the computer used a tool to delete the missing VSCs.
PM me if you need more help.
Regards,
Larry