Thursday, February 16, 2012

A Case Experience

Last week I had the opportunity to go to Denver to present a CLE presentation I created called "The eDiscovery Roadmap: From Planning to Production."  (Don't fear, fellow forensicators, I'm not changing the focus of my blog... this is just an exposition.)  Overall, I think it was a success.  The main metric to determine this was embarrassing moments divided by time spent on stage, and since I only tripped over my heels once, the math definitely works in my favor.  But apart from getting to lecture to a crowd of lawyers and paralegals trapped enthralled for two whole hours, one of the most interesting experiences came after the presentation was over, when I got to read the feedback from attendees.  Time and again, the "favorite part" of the presentation was listed as my "Tales From the Trenches," when I took a few minutes after each phase to tell applicable eDiscovery war stories. 

"Tales From the Trenches"

Of course, I'd like to think that this was because of my impeccable story telling.  Just look at some of the titles:  "The Eager Attorney and the Hard Drive of Doom"; "The Search Term That Wouldn't Cull"; and, my favorite, "The Ineluctable Modality of the PDF".  But once I finished fantasizing about adding "Master Storyteller" to my list of accomplishments, I had to acknowledge that there was probably more to it than my wordsmithing.  Whatever you call them - war stories, case studies, investigation experiences - there is a lot of value to learning problems others have faced, and how those problems were dealt with. 

Harlan Carvey (without whom I would likely never have new ideas for my blog) started another interesting discussion on the Win4n6 forums this week about sharing case studies within the field.  I'll be the first to admit my reluctance in the past about inadvertantly disclosing sensitive material, but when I really thought about it, I feel that there are definitely ways to contribute without crossing, or even getting close, to that line.  Corey Harrell coined the phrase "Case Experience" to differentiate these shorter, more sanitized communications from "Case Studies", which implies a more complete picture.  Yes, I can share case experiences without guilt, and hopefully, I'll even pass on something.  It may even be insight.  Or knowledge.  Or something good.  No antibiotics needed.

And so, without further ado, I present GU's Case Experience #1.

Case Experience
Working Title:  The Difference a Minute Makes

Standard disclosure:  This represents a targeted investigation, and not all portions of the exam will be discussed.  Please don't take this as SOP.  Also, my set of tools has been evolving, but steps I mention should be able to be performed with a variety of different tools.

EnCase v.6.18

Possible data spoliation.  The client requested an investigation that looked into data deletion on a Windows XP system within a specific time frame.  The system in question had been in use for a couple months after the time of interest.  The end result was a report that detailed recovered files of interest and a timeline of events.

Investigation Plan:
Recycle bin analysis
File recovery using EnCase
File carving using PhotoRec
Analysis of carved files on system for context
Search for data deletion software
Registry and restore point analysis
Timeline generation

Actual Investigation:
The scene:  Me smoking a cigar in a shadowy room with my feet on the desk, looking debonair.  While recovering the deleted files was of great interest to the client, what makes this case stand out to me is what I found on the system regarding a program called CCleaner.  Many of you are likely familiar with it, and have come across it in your cases (in fact, Cheeky4n6Monkey has some great posts about pulling artifacts relating to CCleaner using a RegRipper plugin)  It seems to crop up an awful lot in certain types of cases.  What made this one interesting was the reconstruction of events found in restore point registry hives.  Luckily for me, though the computer had been in use for quite a while after the timeframe of interest, the restore points for the timeframe were still present. 

I could see that the registry entries showed CCleaner being installed on the system a couple years before the timeframe of interest.  Even better, after tracking down RPs for specific dates, and determining the proper user, the keys showed that CCleaner.exe had been run on the system by the user in the "hot zone".  Bingo!  But wait... it wasn't quite as clear as that.  You see, a good minute after CCleaner.exe was run, a CCleaner installer file called ccsetup###.exe was run, with no indications that CCleaner.exe was run again after the installation.  So, was CCleaner simply updated but not run?  Or could it have been run after the installer without updating the registry entry?

 I had come across CCleaner enough in the past to know that the program will check for an updated version of the software and ask the user if they want to download it if one is available.  So it didn't come as a surprise that an installer file would be run soon after executing the program.  The question became, after running the installer, if CCleaner was run what changes, or lack of changes, would occur in the registry? 

It was time to stop speculating, and start researching.  I used a Windows XP machine that had CCleaner already installed.  Upon firing up the program, I was indeed prompted to update the software.  Following the update, I used the default option to start CCleaner automatically, and then ran the default CCleaner process on the system.  Following the run, I examined the test registry hives to see what sort of information was present.  The test system registry hives mimicked the investigated system:  though CCleaner had been run following the updated installer file, the registry just reflected the initial execution of the program. 

Moral of the Story
Now, I don't expect that this is an earth-shattering revelation.  I guess the real point that I want to make is the importance of testing when questions are raised or anticipated.  In this case, there were questions, and I had the ability to confidently say "I tested the process and the data is consistent."  There are so many variables on systems, testing should be common place.  You don't need a plethora of extra equipment to do it, either.  Run some virtual machines, have a few baseline setups you can use, and take the time to experiment.


  1. Nice work! Always helpful to hear how someone has approached a problem. More please!
    Also, Thanks for the shoutout and adding me to your blog list.

    1. No thanks necessary... love reading your blog!

  2. Nice post! I love hearing stories from the trenches. I too had run ins with CCleaner in my E-Discovery days. One such event was when I had to prove that CCleaner could be used as a wiping tool. My only issue at the time was the fact that the CCleaner version installed on the machine was no longer available for download. Sometimes hard drives can sit for some time before we get them. When you run your tests do you try to use the same version of the program or just verify that the option was available in the version that is installed? In the end I was able to show that wiping free space was an option in the installed version and it was selected on several systems.

    Also anyone looking to get into virtualization should try VirtualBox. It is my favorite price (free).

    1. For the registry test I described above I followed the steps of updating to the most recent version to mimic (as much as possible) what the user would have done, so the installed version was not the same as the suspect version in question. However, you do raise a good point - versions of programs is important when testing! In this case, though I didn't install the same version in the timeline experiment, it was available to download, and I did do other testing on the older version present on the system in question.

    2. What I've found helpful in the past to find older versions of software is, though I'm not sure if CCleaner is available.

      Btw just discovered your blog and love it. Keep up the great work!

  3. Great post. I have been looking at CCleaner as well. Here is a link to a YouTube video from Mr. Excel to link the SmartArt to the cells. It helps to automate the process, if you need to enter a large amount of data into the SmartArt. Thanks again.">

    1. Awesome. Thanks for including the link for smart art. It's definitely nice, with the added bonus of not having to pay extra for timeline software.

  4. Google returns quite a few entries for CCleaner portable app. Being a noob myself, wonder how one would know that was run...

    1. Only one way to find out... I think this calls for a test. =)

    2. "Windows Registry Forensics" provides a number of tools that can be used in such a test, and WFAT3e has an entire chapter on application testing that may be helpful.

    3. @Keydet89 I have my copy of WFAT3e before me now. I haven't had time to finish the whole thing (though I've jumped to a few spots I was extra excited about, like Jump Lists), and am excited to finish reading and getting new tools and procedures lined up.
      I need to track you down at another conference and make you sign it. :)

  5. Thanks for sharing ! I will share the results with the CCleaner portable app. Your demo had an interesting "display" around what appeared to be a ppt ? Please explain :)
    br, mitch