Notifications
Clear all

Where to look?

6 Posts
4 Users
0 Likes
403 Views
(@randomdude)
Posts: 4
New Member
Topic starter
 

I am quite interested in data recovery and secure data removal. What I would like to know, when looking for "evidance", what are the best places to look on a Windows box? Pagefile? Thumbs.db? Registry (where)? Metafiles from things like .doc's, .pdf's etc?

 
Posted : 14/07/2006 8:19 pm
 koko
(@koko)
Posts: 21
Eminent Member
 

doesn't sound to me like you're really in our biz. this is a strange, vague question.

 
Posted : 14/07/2006 9:48 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

RD,

Where to look depends on what you're looking for.

I've done investigations where I've extracted user activity from the Registry and built a timeline, then compared that against the contents of the Prefetch directory.

Like others, I've also purused the user's Internet activity.

Also, don't forget RAM from a live system…

Harlan

 
Posted : 15/07/2006 3:21 am
(@mindsmith)
Posts: 174
Estimable Member
 

Dude,

What exactly are you looking for? For each type of evidence one would look at a number of common areas for artefacts, but also depending on the type of evidence sort - one may also pay special attention to certain key areas such as Internet activity, or P2P file sharing, etc.

Where the luxury of time permits - I look at everything to build a better 'profile', and also in some cases when asked to look for any other evidence of wrong doing. Assume nothing, examine & analyze everything.

Whilst people themselves may lie or deceive - their computers seldom, if ever, do.

RD, Care to share what it is you're looking for, or worried others may be looking for? Be advised that most evidence elimination-type tools seldom do much to actually remove 'evidence' to a point to where it becomes irrcoverable - despite what the vendor's marketing lit may say…

 
Posted : 15/07/2006 10:30 pm
(@randomdude)
Posts: 4
New Member
Topic starter
 

I'm not looking for anything in particular, I guess I just need a nudge in the right direction of where to start first.

 
Posted : 15/07/2006 11:31 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Well, the nudge in the right direction is to figure out what it is you're looking for. Seriously.

I'll give you an example. I looked at a case once where a guy had been arrested for soliciting a minor. His employer wanted to be sure that he hadn't used his corporate laptop for any untoward activities, so I had to figure out where to look. The thing was, if I found any illicit images of kids, I had to turn the laptop back over to the client, and recommend that they call the cops.

So, I started with keyword searches and file signature analysis to get a general feel for what I was dealing with. After that, I dove right into the Registry…I wanted to see what the user had been doing. There are places in the Registry that act as a sort of log file of user activity. I compared what I found against the Prefetch directory, and checked his Recycle Bin entries, etc.

Now, if I were tracking down malware, and all I had was an image, then I'd be interested in other areas of the Registry and file system.

That isn't to say that some areas aren't used as evidence, but based on the type of thing you're looking for, some areas are more likely to turn up interesting tidbits than others.

Keep an eye out next spring…my next book will be published then, and you'll get a very interesting view of where to look for evidence.

h

 
Posted : 16/07/2006 3:56 pm
Share: