±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36595
New Yesterday: 0 Visitors: 86

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Need help finding deleted program data.

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

pizzmor
Member
 

Need help finding deleted program data.

Post Posted: May 11, 12 03:29

Ok, so here is my dilemma. I am working a case using FTK 3.3 on a 64 bit install of W7 pro. The guy I am investigating was an IT supervisor at my agency and has since resigned, so I don't have access to him in terms of another interview, so he had some skills above the usual user.

I was hitting the usual registry locations and found a regedit command in the runmru of the NTUSER.DAT file, so I know he was editing the registry before we were able to get his laptop out of his possession. He also cleared all of his temp. internet and other internet related cache locations, so that is a lost bit for me.

Now the accusation here is that he was converting native files to .pdf's that a contractor was supposed to have been converting and getting kickbacks from the contractor. I have located several .exe command files carved from unallocated space showing "xyzprogram.exe" and some associated .dll files, but not much else.

So I guess my question here is without knowing exactly what this guy did before we got to his machine, what else is there to find showing proof a program was installed and used for its specific purpose, which in this case was a .pdf conversion program.

Any and all help is appreciated. Thanks in advance.  
 
  

Passmark
Senior Member
 

Re: Need help finding deleted program data.

Post Posted: May 11, 12 08:31

Can you get a copy of one of the PDF files from the contractor, or from E-mail?

Inside the PDF file there will be document meta data that will probably tell you which tool was used to create the PDF file. Would be even funnier if the PDF was signed. In some cases you can also get the name of the original source document.

Then you'll know what tool you are looking for. But note that newer versions of Word can directly create PDF files, as can the Chrome browser and several other apps. So maybe the tool used is in plain sight?

Once you know the tool used, you can setup a clean VM, install the tool, use the tool, uninstall the tool, then do a before and after comparison of the registry and the file system to work out what files are left sitting around. There are almost always files or registry entries left over after doing an uninstall.  
 
  

kwokhong
Member
 

Re: Need help finding deleted program data.

Post Posted: May 11, 12 09:09

How about searching for install.log files? I'm not sure if this will be deleted after the user uninstall the program.  
 
  

cedricpernet
Member
 

Re: Need help finding deleted program data.

Post Posted: May 11, 12 10:57

Don't forget to check the Volume Shadow Copy, if it exists on the system.  
 
  

pizzmor
Member
 

Re: Need help finding deleted program data.

Post Posted: May 11, 12 13:35

Fantastic, thanks all.  
 
  

keydet89
Senior Member
 

Re: Need help finding deleted program data.

Post Posted: May 11, 12 16:57

- pizzmor
Ok, so here is my dilemma. I am working a case using FTK 3.3 on a 64 bit install of W7 pro. The guy I am investigating was an IT supervisor at my agency and has since resigned, so I don't have access to him in terms of another interview, so he had some skills above the usual user.


Okay, good stuff to know. More importantly, you included the OS being analyzed.

- pizzmor

I was hitting the usual registry locations and found a regedit command in the runmru of the NTUSER.DAT file, so I know he was editing the registry before we were able to get his laptop out of his possession.


Within the same file (NTUSER.DAT) there is an Applets key, which will likely contain a subkey for RegEdit, which may contain a value that points to the last Registry key that the user accessed before closing RegEdit.

Within the HKCU\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit key, look for the "LastKey" value.

- pizzmor

He also cleared all of his temp. internet and other internet related cache locations, so that is a lost bit for me.


Given what you're interested in, that may not be an issue.

- pizzmor

Now the accusation here is that he was converting native files to .pdf's that a contractor was supposed to have been converting and getting kickbacks from the contractor. I have located several .exe command files carved from unallocated space showing "xyzprogram.exe" and some associated .dll files, but not much else.


When you say, "native files", what are you referring to?

One way to convert files to PDF is through the use of a PDF Printer, such as PrimoPDF.

- pizzmor

So I guess my question here is without knowing exactly what this guy did before we got to his machine, what else is there to find showing proof a program was installed and used for its specific purpose, which in this case was a .pdf conversion program.


Well, there are couple of things available to you...

1. Look for installed programs, particularly via the Registry. RegRipper has a number of plugins available for this, in particular, uninstall.pl.

2. If you suspect that the user may have deleted programs from the system, then check the Registry hive files for deleted keys and values. One way to do this is using regslack, which I talked about on yesterday's SANS webcast. Another is TZWorks's yaru tool...it's graphical, but it indexes the hive file and will show you deleted keys that were recovered.

3. Since you're on a Win7 system, I'm more than just a bit surprised that you haven't checked the Jump Lists. One thing you could do is use JumpLister (from woanware.co.uk) to open each of the JumpLists in the automaticeDestinations directory within the user profile, and map each of the Application IDs (the first part of the file name) to the specific application. In my experience, these JumpLists are created and maintained by the system, and will persist even after the application is deleted or removed.

4. Given what you've said about the user's abilities, I'd consider searching for the use of a counter-forensics tool, such as CCleaner. I'd look in the user's NTUSER.DAT hive at the UserAssist subkey entries (via RegRipper), as well as in the Application Compatibility Cache key within the System hive (Mandiant just released a Python script to assist you with this).

5. I'd consider creating a timeline of system activity, starting with the file system metadata, and adding Windows EventLog data, Prefetch file metadata, Registry key LastWrite times (as well as specific values that contain time stamps), Jump List metadata, etc. I would then use anything and everything I found in steps 1 - 4 as pivot points from which to begin a detailed investigation of the timeline.

HTH  
 
  

pizzmor
Member
 

Re: Need help finding deleted program data.

Post Posted: May 12, 12 03:49

Thanks Keydet for the great response. I will try what you have suggested. I need to spend more time on here for sure. Very Happy  
 

Page 1 of 2
Page 1, 2  Next