Is there an EnCase Enscript or software out there that determines if a wiping software has been used on a system?
Not that I am aware of…I think that your best bet is to look for artifacts (e.g. registry, logs, prefetch) relevant to the presence of wiping software, then do some testing on that software to help form your opinion that wiping has occurred.
It may also be useful to look for the obvious to see what programs are installed or potentially have been installed in the past (doing some simple searching may also assist in this) - you can then look to see if it is possible to obtain details of the settings of the software to determine if there is any clues about when it may have last been run and what it was potentially used to clear. It may give you a good place to start your research for specific artefacts.
In addition to mjantal's suggestions you may also wish to take a look at the file table - some wiper will create odd specific date and time entries or filenames when filetable items are overwritten. Also possible file extensions attributed to temporary files created when wiping has occurred. However, all behaviour will be specific to the wiper software being used (and its version) and possibly the OS version. so you may wish to start your investigation by establish if there is any evidence of a any particular product being installed.
Sam
Have you attempted to "recover folders"? I've had luck finding the wiping program files folder because it was deleted post wiping leaving the artifacts on the disk.
Other than that I'm onboard with mjantal & samr
No there is no enscript for this often asked question.
The best answer to this is, regardless of the forensic software, how would you determine this manually?
Hint it's got nothing to do with analyzing patterns in sectors or recovering folders, it's all about recreating end-user activity.
Assuming Windows….
1. Check prefetch for applications that have been run
2. Check the UserAssist keys in the registry for applications that have been run. Include recovering NTUser.dat files from the System Restore area (assuming XP) or Volume Shadow (assuming Vista and up).
3. Review LNK files, Browser history (file// links) and Shellbags for files and folders accessed.
What you are looking for in the above is any one of the numerous wiping applications that may have been installed or merely run.
You can also try to analyze deleted files looking for a large number of randomly named files which Encase is reporting as being overwritten or having an invalid cluster. Some wiping tools will leave the wiped files in this state. If a wiping tool was used and the user configured it to use the same pattern of characters over and over to wipe, then you can look for identical characters filling up large areas of data (multiple sectors or clusters in a row).
Realize that anything you do find will need to be backed up by extensive testing to verify that the evidence you are viewing supports any theory or opinion you may present.