Notifications

Clear all

Suspicious set up - any further lines?

wotsits · 2016-08-12T20:41:33Z

I and I'm sure most others are quite familiar with the scenario where you have an encrypted hard drive or other device and the owner has magically forgotten their password that they used everyday and so is of no help.Recently, I came across another very suspicious but different kind of set up.-Windows PC, no encryption, password or user account set. No relevant information in the owner or software license - set only as 'John Smith'-No files, documents or anything stored on the PC-No paging file-Very few programs installed, but it appears internet access was set to Firefox Private with preferences set to delete everything once closed. Also CCleaner set to wipe everything with an overwrite function.-There was also some MAC address changing softwareAs you can imagine with a set up like this there was very little found of any value at all. What I in fact suspect is the case is that they had some wireless storage device that they kept everything on that wasn't found (probably well hidden). The rest of it seems like they knew a little too well what they were doing.Would I be right in saying that absent the paging file, free space and no hidden volumes, there's very little other lines to follow on this?Nevertheless, I think it's worth conveying to 'non-tech' people that it's not simply a case that this is something with no evidence, rather it's set up in such a deliberate way so as to avoid there being any evidence. Would this be a worthwhile report and able to infer significant suspicions?

Page 3 / 3 Prev

General (Technical, Procedural, Software, Hardware etc.)

Last Post by Anonymous 5 years ago

25 Posts

15 Users

0 Reactions

3,350 Views

RSS

badgerau

(@badgerau)

Trusted Member

Joined: 12 years ago

Posts: 96

24/08/2016 6:53 am

Well articulated "Chris_Ed"

Not having all the specifics of the scene, have you considered that the suspect computer your examining was used purely as a pass through modem, in that some other device was connecting through it to the internet.

ReplyQuote

Bunnysniper

(@bunnysniper)

Reputable Member

Joined: 13 years ago

Posts: 259

29/08/2016 5:40 pm

Some ideas and hints on this

- joakims already mentioned the NTFS evidence sources- no evidence there?
- i would check for all autorun locations, perhaps some kind of cleaning script?
- is there a hibernation file?
- there are so called hidden TrueCrypt volumes. Did you search for them?
BriMor Labs has a nice blog post about it
http//www.brimorlabsblog.com/2014/01/identifying-truecrypt-volumes-for-fun.html
- when MAC was changed, you can find evidence on the DHCP server perhaps? My Wifi SOHO router is acting as DHCP at home and has a full history of IP + MAC adresses
- did you check the Windows Event Logs?
- i would check the Performance Logs, too

and last but not least any existing Windows Memory dump file or Error reporting archive? Even if you do not find a full memory dump, you might find the name and path of a crashed application.

Good hunting!
Robin

ReplyQuote

Jmundy

(@jmundy)

Eminent Member

Joined: 6 years ago

Posts: 25

29/05/2020 9:42 pm

Posted by: @jaclaz

Significant suspicions of what, exactly?

Significant suspicions of acting in such a way to raise the possibility to infer significant suspicions, of course. wink

Next step being of course wider use of precogs 😯 .

And now, only seemingly OT, some previous questionable use of "significant"
http//www.edwardtufte.com/bboard/q-and-a-fetch-msg?msg_id=0001yB

The vigorous, vaguely quantitative, words “significant” and “significantly” are used 5 times on this slide, with meaning ranging from “detectable in a perhaps irrelevant calibration case study” to “an amount of damage so that everyone dies” to “a difference of 640-fold.” None of the 5 “significants” refer to “statistical significance;” such wordplay may suggest that a formal statistical analysis has been done.

@wotsits
Wait until you find a smart guy with no hard disk and booting from a CD/DVD to a ramdisk …
… now that would be really suspicious…

jaclaz

What would the approach be in the scenario @jaclaz mentions? would it even be possible to prove such a set up had even happened?

ReplyQuote

jaclaz

(@jaclaz)

Illustrious Member

Joined: 18 years ago

Posts: 5133

30/05/2020 9:39 am

https://en.wikipedia.org/wiki/Evidence_of_absence

jaclaz

ReplyQuote

Anonymous 6593

(@Anonymous 6593)

Guest

Joined: 17 years ago

Posts: 1158

30/05/2020 10:44 am

Not sure if it's entirely relevant any more, as the thread is so old, but ... in this case I would be interested in:

How does the system boot? Is this 'empty' Windows environment at the top of the boot list, or is just what gets booted if no of five other boot alternative works?

Is PXE booting on the boot-order list? Does the system allow PXE booting from user-selected boot key, or only from the boot-order list? (that is, can the user select PXE with some F8-like boot option key?)

Does BIOS/UEF/etc. allow for MAC address reconfiguration? Or is something more heavyweight required for that?

If the laptop was used by a technician as a tool in an environment where PXE booting (or similar technical solution) was used, I'd expect something like this kind of set-up. Boot priority list would be at least a) PXE boot, b) local Windows or other environment where MAC address could be changed easily for testing and troubleshooting of PXE boot code delivery.

And in such environment, DHCP and PXE server logs would probably be the first things to check, followed by a check of what the booted environment actually is. (It might still exist on a SAN somewhere.)

ReplyQuote

Page 3 / 3 Prev

8 Forums
15.7 K Topics
92.3 K Posts
260 Online
41.1 K Members

Forum Icons: Forum contains no unread posts Forum contains unread posts

Topic Icons: Not Replied Replied Active Hot Sticky Unapproved Solved Private Closed