hello, i have a quick question for you guys, im doing an investigation and i have come across a stego tool. The OS its installed upon is XP. I am trying to see if I can detect its useage, so far ive examined the 'recently' accessed docs and cant highlight anything and examined the prefecth files, but the application does not create one. Is there any other methods for detcting the tools usage?
thank you
There are a couple of tools to detect steganography
-
-
Both can help detect artifacts of steg use.
Tooty,
Sure, check the contents of the UserAssist keys for the users NTUSER.DAT hive files…RegRipper can help you with this.
However, when you say that you "came across" a tool, which one was it? Some tools may require an installation routine, while others may not.
Also, when looking to the Prefetch files, how many .pf files are in the Prefetch directory? Windows Forensic Analysis talks about the limit on the number of files in that directory.
You might also check the contents of the MUICache, AppPaths, and Uninstall keys, as well.
You may have found the tool, but are they are any indications that it was installed? Also, depending on the tool you're referring to, there may be some other Registry artifacts.
HTH,
h
Thanks for your responses
After looking into the NTUSER.dat of the profile I maintains a record of the stego tool
Ive checked the prefetch files and it definatly does not create one when it is installed
Ive have checked the registry keys that you guys suggested but I cnt find anything suggesting its usage
you guys think of any more possible approaches or do you think im fighting a loosing battle
……..ps those tools are a little expensive to purchase for this one case but thanks for pointing me in their direction
After looking into the NTUSER.dat of the profile I maintains a record of the stego tool
Within which key?
Ive checked the prefetch files and it definatly does not create one when it is installed
Nor would it, most likely. XP does _application_ prefetching.
Ive have checked the registry keys that you guys suggested but I cnt find anything suggesting its usage
Roger that.
you guys think of any more possible approaches or do you think im fighting a loosing battle
That could depend a great deal on what you already found. Since you may not be able to share that, and you don't seem able to share the name of the tool you found (nor any other information), you may very well be fighting a loosing battle. Sorry.
……..ps those tools are a little expensive to purchase for this one case but thanks for pointing me in their direction
Well, you really don't need them, per se. You can make up a great deal of what they provide you in your methodology.
……..ps those tools are a little expensive to purchase for this one case but thanks for pointing me in their direction
Always try the demo. They may be time limited or crippled but they often help me get my head around a new avenue of investigation.
thank you for you help guys but ive just hit the jack pot. Ive been testing the tool on my machine and I have to say its partly my fault as i must have over looked it maintains a registry key documenting the files that comes into contact during stego. I feel like such an amature for not discovering it! But….. better late than never
…..anyway, when the tool is just installed and not used, these keys are not present, they are only generated when its actually used…or at least my testing so far has proved this.
…and by the state of my case these keys arnt there so pheww!! 8)
thank you for ur help again everyone!