Suspicious set up -...
 
Notifications
Clear all

Suspicious set up - any further lines?

25 Posts
15 Users
0 Likes
2,389 Views
(@wotsits)
Posts: 253
Reputable Member
Topic starter
 

I and I'm sure most others are quite familiar with the scenario where you have an encrypted hard drive or other device and the owner has magically forgotten their password that they used everyday and so is of no help.

Recently, I came across another very suspicious but different kind of set up.

-Windows PC, no encryption, password or user account set. No relevant information in the owner or software license - set only as 'John Smith'
-No files, documents or anything stored on the PC
-No paging file
-Very few programs installed, but it appears internet access was set to Firefox Private with preferences set to delete everything once closed. Also CCleaner set to wipe everything with an overwrite function.
-There was also some MAC address changing software

As you can imagine with a set up like this there was very little found of any value at all.

What I in fact suspect is the case is that they had some wireless storage device that they kept everything on that wasn't found (probably well hidden). The rest of it seems like they knew a little too well what they were doing.

Would I be right in saying that absent the paging file, free space and no hidden volumes, there's very little other lines to follow on this?

Nevertheless, I think it's worth conveying to 'non-tech' people that it's not simply a case that this is something with no evidence, rather it's set up in such a deliberate way so as to avoid there being any evidence. Would this be a worthwhile report and able to infer significant suspicions?

 
Posted : 12/08/2016 8:41 pm
Chris_Ed
(@chris_ed)
Posts: 314
Reputable Member
 

What I in fact suspect is the case is that they had some wireless storage device that they kept everything on that wasn't found (probably well hidden). The rest of it seems like they knew a little too well what they were doing.

Have you checked the various registry hives for this sort of access? Shellbags, connected USB devices, mapped drives, that sort of thing.

Consider as well that if your dude is doing something questionable online then it's possible he's streaming it and has nothing locally at all.

Having said that, be very careful

Nevertheless, I think it's worth conveying to 'non-tech' people that it's not simply a case that this is something with no evidence, rather it's set up in such a deliberate way so as to avoid there being any evidence. Would this be a worthwhile report and able to infer significant suspicions?

Significant suspicions of what, exactly? People have a right to browse the Internet anonymously, and they have a right to delete their Internet history if they want to.
Yes, report it as a possibility but only as an explanation of why there might be nothing of interest. Saying that someone is suspicious because they set their PC up that way is a very dangerous position to be in, morally and legally.

 
Posted : 12/08/2016 8:58 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Significant suspicions of what, exactly?

Significant suspicions of acting in such a way to raise the possibility to infer significant suspicions, of course. wink

Next step being of course wider use of precogs 😯 .

And now, only seemingly OT, some previous questionable use of "significant"
http//www.edwardtufte.com/bboard/q-and-a-fetch-msg?msg_id=0001yB

The vigorous, vaguely quantitative, words “significant” and “significantly” are used 5 times on this slide, with meaning ranging from “detectable in a perhaps irrelevant calibration case study” to “an amount of damage so that everyone dies” to “a difference of 640-fold.” None of the 5 “significants” refer to “statistical significance;” such wordplay may suggest that a formal statistical analysis has been done.

@wotsits
Wait until you find a smart guy with no hard disk and booting from a CD/DVD to a ramdisk …
… now that would be really suspicious…

jaclaz

 
Posted : 12/08/2016 9:42 pm
pbobby
(@pbobby)
Posts: 239
Estimable Member
 

Another non-contributing reply to a thread. Got anything better to do than focus on a sentence and just rag about it?

To the OP - As Chris suggested, include registry analysis. I also concur that the presence of such a set up does not necessarily imply bad intent. I've had to educate decision makers in my workplace that the presence/usage of a ccleaner type of software is not an indicator of guilt.

 
Posted : 12/08/2016 10:20 pm
(@wotsits)
Posts: 253
Reputable Member
Topic starter
 

Of course people have a right to set up their PC however they choose.

My point is this person has clearly taken steps to avoid leaving behind traces of evidence.

Similar to when they talk about people using anti-surveillance tactics which infers the reason for it is to carry out some illegal activity.

 
Posted : 12/08/2016 10:23 pm
(@wotsits)
Posts: 253
Reputable Member
Topic starter
 

Another non-contributing reply to a thread. Got anything better to do than focus on a sentence and just rag about it?

To the OP - As Chris suggested, include registry analysis. I also concur that the presence of such a set up does not necessarily imply bad intent. I've had to educate decision makers in my workplace that the presence/usage of a ccleaner type of software is not an indicator of guilt.

True. But this is all a bit of a step further than just having CCleaner installed!

 
Posted : 12/08/2016 10:26 pm
jaclaz
(@jaclaz)
Posts: 5133
Illustrious Member
 

Another non-contributing reply to a thread. Got anything better to do than focus on a sentence and just rag about it?

Not really, right now, but thanks for asking.

jaclaz

 
Posted : 12/08/2016 10:43 pm
tracedf
(@tracedf)
Posts: 169
Estimable Member
 

The MAC changing software and disabled paging are the most suspicious things. Using Firefox in Private mode with CCleaner is just good all-around privacy protection. It could be explained, for example, by wanting to browse adult websites without leaving history and images around for a room mate or child who also uses the computer.

 
Posted : 12/08/2016 10:45 pm
(@wotsits)
Posts: 253
Reputable Member
Topic starter
 

There simply is no other explanation in my view for disabling the paging file and overwriting any new data and not keeping any files stored than because of trying to avoid leaving evidence behind.

Could a finding such as this be able to justify making a further, perhaps deeper, search of the suspect address in the hopes of finding external storage media? Or generally are searches a one shot thing unless they come to attention for a further offence, such that in this case the suspect has 'beat the system'?

 
Posted : 12/08/2016 10:53 pm
RolfGutmann
(@rolfgutmann)
Posts: 1185
Noble Member
 

RAM analysis? Often underestimated are the 'living area Radio Frequency area', e.g. did you check Wi-Fis around which may logged beacons and DHCP requests or same building PowerLine devices? For sure you did, right?

 
Posted : 12/08/2016 11:32 pm
Page 1 / 3
Share: