[prev in list] [next in list] [prev in thread] [next in thread] 

List:       forensics
Subject:    Possible remnants of wiping .. Solved!
From:       "Mark G. Spencer" <mspencer () evidentdata ! com>
Date:       2003-07-14 21:44:30
[Download RAW message or body]

Over the last couple days I had been running some wiping applications
against dummy images and reviewing the remnants they left behind.  Some
looked very close (BCWipe) but none looked close enough for my satisfaction.

After combing through the registry (again), I noticed a reference to
"East-Tec" .. Turns out East-Tec has a product called "Eraser 2003."  There
were very few remnants containing "East-Tec" or "Eraser" on the suspect's
hard drive (shelliconcache, ntuser.dat), but enough to know that it was at
one time installed.

I ran Eraser 2003 against my dummy image and reviewed the drive.  There were
a series of deleted .WIP files with 1gb+ file sizes, the sum of which was
nearly equivalent to the free space on my dummy drive.  Going back to the
suspect drive, I see the .WIP files correspond to the suspects free space in
the same fashion.

I have submitted the .WIP file extension information to www.filext.com in
the event anyone else runs into this.

On a side note, the Initialize Case EnScript for EnCase came in useful here
as well.  Taking a quick look through the registry keys this script mounts
resulted in finding drivers installed for two different USB devices I had
not known about earlier.  I wouldn't be surprised to find Eraser 2003 on one
of them, if I ever find the devices.  ;)

Mark G. Spencer
Computer Forensics Examiner
EvidentData, Inc.
Phone: 909.948.7714
Direct Fax: 508.256.0463
Office Fax: 909.948.4365
Web: http://www.evidentdata.com   



-----------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com


[prev in list] [next in list] [prev in thread] [next in thread]