• Earn a Computer Forensics Degree Start Today!

Links

Anti-Forensics Forum

External Links

Prepare for the EnCase Certified Examiner (EnCE) Exam with this great ebook!

Forensic Focus - computer forensics, electronic discovery, computer crime investigation and data recovery

Forensic Computers, Forensic Write Block Devices, and Forensic Hardware at ForensicPC.com

• Recently Written

  • The Risks of Windows Hibernation – The hiberfil.sys and Web Browsing
  • The Rootkit Arsenal: Escape and Evasion in the Dark Corners of the System by Bill Blunden
  • Meta Anti-Forensics (Conference talk by The Grugq)
  • The Art of Defiling: Defeating Forensic Analysis on Unix Filesystems (Conference talk by The Grugq)
  • How to Delete Google History – Google Chrome Artifacts and Google Chrome History
  • How to Delete Google History – The Google Toolbar
  • Beat EnCase File Signature Analysis on a Windows System
  • Gmail – The Spammer’s Paradise
  • Disable Thumbnail Caching and Wipe Thumbs.db files on a Windows XP System
  • Delete USB Device History from the Windows Registry (USBSTOR key) and the setupapi.log

Recent Comments

• Soni: OddAnt: Windows root directory. C:windowssetupapi.log
• OddAnt: I wonder why there is
• OddAnt: nice explanation, i used CCleaner
• Yar (Admin): Hey ST, it is very
• sunday treat: I am waiting for the

• Categories

  • Announcement
  • Anonymity
  • Anti-Forensics News
  • Anti-Forensics Software
  • Books
  • Defense
  • Email Anti-Forensics
  • EnCase
  • Encryption
  • Hacking
  • Hex Editing
  • Linux
  • Privacy
  • Timestamps
  • Web Hosting
  • Windows
  • Windows Commands
  • Windows Registry
  • Wiping

• Archives

  • February 2010
  • January 2010
  • December 2009
  • November 2009
  • September 2009
  • June 2009
  • April 2009
  • March 2009
  • February 2009

You can use Windows Hibernate to conserve batteries, electricity, save the environment, the world and the polar bears. However, did you know that by putting your computer into “hibernation” mode that you are essentially creating a snapshot of the contents of your computers RAM which is then saved to the root of the hard drive as “hiberfil.sys”? This means that current running applications and other data in RAM will be written to the hard disk. This is a pretty serious privacy risk and by not using this feature you are in effect implementing an anti-forensics technique.

For example, if you happened to have been browsing the web and had not closed your web browser before choosing to hibernate,then textual strings such as the last Google search you performed or text from an open web page will be written to your hard drive as the computer “hibernates”. This makes the Windows hibernation file a great source of information for computer forensic examiners.

The Windows hiberfil.sys can also be an issue when using encryption software such as TrueCrypt. If a Windows system is placed into hibernation mode without unmounting encrypted containers or volumes then the encryption keys used to access these containers will likely be left in RAM in plain-text. RAM will then be saved to the hard drive in the hiberfil.sys. This means that you will be leaving the keys (passwords) to all of your private containers and volumes free for the finding.

Now, for some actual testing. I will leave a demonstration of TrueCrypt and the hiberfil.sys for a later article. What I’ve done for this article is setup a new Windows XP system with hibernation mode enabled as can be seen in the screenshot below.

I then accessed Internet Explorer and performed a Google search for “how to destroy a hard drive”.

Leaving the search engine results page open in the browser, I placed the machine into hibernation mode from the menu seen below.

The drive was then accessed as a secondary storage medium (plugged into another computer through a USB connection with write protection enabled) and the hiberfil.sys itself was extracted using FTK Imager on another system.

Finally, I loaded the hiberfil.sys into a standard hex editor “HxD” and ran a string search for “how+to” to see if the URL for the Google search I performed was in fact stored in the hiberfile.sys.

As you can see from the screenshot above, the URL for the Google search that I performed was located in the hiberfil.sys.

If you use hibernation mode you are vulnerable to this sort of attack. You may inadvertently divulge trade secrets to a malicious hacker who copies your hiberfil.sys or just as easily incriminate yourself if your computer is seized and forensically examined.

You can stop examination of this file by just not using hibernation mode. If you insist on using this feature then you should also implement full disk encryption like what you would find with TrueCrypt which is mentioned in many of the other anti-forensics articles on this website.

You will need to be aware of the fact that data can still be dumped from RAM itself after your computer has been turned off. This is possible for up to 35 seconds at normal operating temperatures. If the RAM sticks are cooled to less than 50 degrees Celsius then it is possible to perform a data dump from RAM up to hours later with some forms of RAM.

So, has anyone created any software to parse the data in the hiberfil.sys?

Yes, the Sandman Project is a library which assists in parsing data from the hiberfil.sys. I’m sure there are others and if you know of any, don’t hesitate to leave a comment. I have not personally used the library from the Sandman Project but from what I’ve read it works fairly well.

Disable Hibernation mode on Windows XP:

1. Right-click empty area on desktop
2. Choose “Properties”
3. Select the “Screen Saver” tab
4. Click “Power…”
5. Select the “Hibernate” tab
6. Uncheck “Enable hibernation”

Disable Hibernation mode on Windows 7:

1. Open “Control Panel”
2. Click “Power Options”
3. Click “Change plan settings” for you current power plan
4. Click “Change advanced power settings”
5. Expand “Sleep”
6. Expand “Hibernate after”
7. Enter “0″ for “Setting:” to set hibernate to “Never”

OK, I wouldn’t normally promote a book unless it blew my mind in half. So far, this book written by Bill Blunden has. It is primarily focused on rootkits, every aspect of a rootkit in fact. What I thought was really great was Blunden’s entire section on anti-forensics and computer forensics where acquisition methods, examination methods and other techniques are explained in detail. This can give you a better idea of what some forensic examiners might do and how to counter those methods they will likely employ.

This book comes in at just over 900 pages making it weigh about 300lbs. This means the book itself works great as an anti-forensics tool. You can smash flash drives, optical media, hard drives and even federal agents with this thing.

Each topic in this book is covered in depth and is full of detailed information. With a bit of coding knowledge you could create your own rootkit, bot or trojan and fully equip it with anti-forensic techniques which will make any examination costly or help hide or disguise the software from the eyes of an examiner and their reliance on automated tools.

Now you can go through a good 500 pages of the book on Google books which is what I did at first: Link

If you can’t get enough and need the physical copy, then I do recommend dropping some bones on this one. You just need time to read it. If you’re like me, working after work between sessions of more work, then you’ll need to schedule yourself an hour a day to get into this book. Perhaps longer if you’re implementing some of the methods.

From a quick Google of Bill Blunden’s name it looks like he may be speaking at CEIC 2010. Please comment if you’ve read this book or have gone through bits of it, I’d like to see what others think as well.

Another presentation by The Grugq and his knowledge and contributions to the anti-forensics community during his computer forensic and anti-forensic research. The video below is a presentation The Grugq performed at Hack in the Box 2007 security conference.

The Grugq covers anti-forensics techniques as well as the HASH or hacker shell which he developed.

The Grugq has contributed greatly to the anti-forensics community during the course of his of computer forensic and anti-computer forensic research. The video below is a presentation The Grugq performed at the Hack in the Box 2004 security conference. Apparently, The Grugq has lost a job as a security consultant in the past because of his research and articles dealing with anti-forensics or more specifically, his criticism of some computer forensics software such as The Coroners Toolkit by Dan Farmer and Wietse Venema.

This must watch presentation on anti-forensics will familiarize you on Unix file system structure, common forensic tools (at least in 2004) and some theories behind file system anti-forensic attacks.

The Art of Defiling Presentation – PDF

As of this December in 2009, the Google Chrome web browser is the worlds fourth most widely used web browser. As an example, nearly 7% of all Anti-Forensics.com visitors are using the Chrome web browser. This article will cover Google Chrome search history, artifacts and logs that are created by the Chrome web browser when a Google keyword search is performed from the browser address bar. You will also learn how to delete Google Chrome history.

The Chrome web browser has a privacy mode which is referred to as “incognito” mode. This feature can be accessed by pressing the hotkeys CTRL + SHIFT + n with the browser in focus. Google Chrome’s incognito mode will not be covered in this article (but expect to see it soon!). The purpose of the testing which was carried out for this article was to see what artifacts would be created when performing a Google keyword search from the address bar of the web browser and then which of those artifacts are left behind after a fine-tuned cleaning was completed with the CCleaner software (yes, there was evidence left behind when using CCleaner with overwriting/wiping options enabled – yikes!).

CCleaner is created by Piriform and is a popular system tune-up application for Windows which has the ability to delete temporary Internet files, application history and more. One of the great features of CCleaner is its “secure wipe” function which will force the software to purposely over-write the data that it is deleting and data that has been deleted through normal means in the past. A simple one pass wipe is sufficient to prevent any recovery of data with modern technology, which is what CCleaner was set to do during the investigative and testing portion of this article.

CCleaner has the ability to “wipe free space” or more appropriately “unallocated data” or “unallocated file space”. Unallocated file space is the area of a hard drive or other digital media which is available for new active data to be written to. On a Windows system, the standard deletion of data will mark that now “deleted” data as unallocated and free for use by the operating system. This means that with the right tools, that deleted data (or fragments of that data) residing in unallocated file space can be recovered. A wiping softwares ability to wipe the free space on digital media will render data located in unallocated or free space over-written and essentially destroyed, preventing any recovery of data from unallocated file space that existed before the wiping software did its deeds.

To begin, a fresh and clean test environment was setup for all of the testing done in this article. The operating system used in the testing was Windows XP Professional with the Google Chrome web browser installed.

An initial search for “how to delete google history” was typed into the Chrome web browser address bar as seen in the screenshot below.

After hitting enter the search engine results page was displayed.

The Google Chrome web browser was then closed in the average standard fashion of hitting the “X” in the top right corner of the application title bar.

The hard drive was then examined with the EnCase suite of computer forensics tools. To start, the phrase “how to delete google history” was created as a keyword within the EnCase software.

Notice that the additional option “Unicode” was selected in the screenshot. A lot of data is stored in the Unicode standard format by modern operating systems.

This option was selected so that in the event that the search history has been written to the hard drive in this format, it will be found by the EnCase keyword search.

A keyword search was then performed with “how to delete google history” as the only keyword selected.

In the screenshot above you will notice that the option to search “file slack” has been enabled. The Windows XP operating system (among others) writes files to clusters on digital media, such as a hard drive. Rarely will the ending portion of a file be the exact fit and size to completely fill the last cluster. The space remaining after the end of the file until the end of the cluster is wasted and unused. This space is referred to as slack space and it is not uncommon for Windows to fill this portion of slack space with data from RAM or your computers memory after a file is written to the hard disk.

This means that there is the potential for data that resides in computer memory (such as a search performed from a web browser or even instant messaging conversations) to end up being written into the slack space at the end of a file.

In the following two screenshots you will see the results of the keyword search which was performed with EnCase.

Viewing the screenshot above you will see the first half of the search hits that EnCase was able to find for the keyword search “how to delete google history”.

Notice that there are three active files which the search phrase appears in. These are “Current Tabs”, “History”, and “Current Session”. These files are all located in the “Application Data\Google\Chrome\User Data\Default” directory for the currently logged in user account on Windows XP.

The search phrase was also discovered in the unallocated portion of the hard drive and within another deleted file with the name “History Index 2009-12-journal”.

The second half of the search results is viewable in the screenshot below.

In the second half of the search results you will notice that there is an additional hit for the phrase within an allocated or active file with the name “History Index 2009-12″.

Google Chrome gives users the options to view a detailed account of browsing history as well as previously closed browser tabs. The data in these active files is what is parsed and then displayed in an easy and human readable format by the Google Chrome web browser.

As you can see, if you were the subject of a computer forensics examination it would not be hard to recover your past web browsing habits from the Google Chrome web browser. If you were to manually delete these history files without some form of wiping, the files would be easily recoverable with the EnCase forensic software (and your basic data recovery software). So long as the files had not been overwritten through the normal use of the operating system.

Now, onto preparing CCleaner for the removal of artifacts and the wiping of free space. First of all, in addition to the default settings I modified these settings which can be seen in the following screenshots.

As seen above, I changed CCleaner’s secure deletion settings to perform a one pass wipe which will consist of over-writing data once.

I then made sure to select all of the deletion options it listed for Google Chrome under settings.

I chose to modify the 24 hour history deletion setting as well as you can see below (unchecked the top option).

After running CCleaner and letting it complete its deletion and wiping I accessed the drive once again with the EnCase forensic software and performed a keyword search for the same phrase “how to delete google history”.

The screenshot above shows the results of the keyword search performed after running CCleaner. As you can see, it’s a bit disappointing as there are now three hits left in unallocated file space for the search phrase “how to delete google history”.

Looking at the bottom pane in the screenshot you can see that I have highlighted a portion of the data which shows the full Google search URL including the keywords which were searched for. These hits came from either the previously allocated file named “History Index 2009-12″ or the unallocated file “History Index 2009-12-journal”. The data was not properly over-written by CCleaner.

CCleaner did a good job of overwriting and destroying all of the other data which contained that search phrase but it somehow neglected this data. I’m not sure why this data was skipped while the rest was wiped.

In any case, I personally use a second piece of free software called Eraser (which has been mentioned by other readers of this blog as well) which may not have all of the fancy default options for wiping installed applications and their directories and log files but it does have a very nice unallocated file space and slack space disk wiping utility.

I set the Eraser application to perform only a single pass wipe (by default it might be set to the 35 pass wipe).

I then scheduled a free disk space wiping task and chose to run it.

After the wiping operation had completed I then once again accessed the hard drive with EnCase and performed the same keyword search for “how to delete google history”. Behold the results of the search in the screenshot below.

You’ll notice that there were no more search hits for the Google search in either the standard plain-text formatting or the Unicode standard. Those of you reading this article will have to understand that the methods presented here may not produce the same results on your own system. I performed one simple Google search, which I then erased evidence of. All within hours after performing the search. There are so many factors that could affect where history and artifacts end up on your computer that were not in play in the scenario I created.

For example, you may be running applications that backup files on your hard drive. If any of these files are located on your backups, you’re just creating another active copy of the data which will not be erased by default with CCleaner. Your computer may also be creating restore points. This process might be generating another copy of search history and artifacts during the creation of the restore points. It’s also possible that the search I performed was formatted in a different manner. An example of this is that Google will format the search keywords to “how+to+delete+google+history” in URLs (final searches were performed for this keyword after the Eraser wipe and no results were found).

You’ll just need to be aware of the fact that there are many factors that can be involved and take extra precautions when protecting your privacy. One great example of protecting your privacy would be the use of full disk encryption software. If you’re really paranoid you could also just do all of your Internet browsing from a Linux live CD as well.

If you’ve comments, questions, concerns, criticism, or anything else, don’t be afraid to leave a comment using the form below.

Other articles in this series:

How to Delete Google History – The Google Toolbar

There are many people who use the popular Google Toolbar with the Mozilla Firefox and Microsoft Internet Explorer web browsers. The Google Toolbar can be used to conduct keyword searches with the Google search engine and the toolbar will conveniently save those searches so that they can be viewed later.

Normally, to delete these searches a user will just click the “Clear History” link in the drop down search history box. However, using this method to delete your Google toolbar search history will not get rid of the other artifacts and remnants of searches that were performed before this action. For example, search history will remain in the Index.dat files that Internet Explorer uses to store browsing activity. Any web pages or Google search engine results pages may be cached in the Temporary Internet Files folders on a Windows system. The artifacts located in these files and locations may not be readily viewable to the average computer user but a trained computer forensics examiner will be examining this type of history.

It’s very important to understand that by just clicking “Clear History” from the Google Toolbar, you are not protecting your privacy by erasing all evidence of your searches. What I did for this article was go through the process of setting up a new virtual environment to see just what artifacts and Google history is being created during these Google toolbar searches.

The first step I took after installing a fresh copy of Windows XP Professional was to install the Google Toolbar for Internet Explorer.

After installation of the Google Toolbar, you’ll notice a search box which can be used to perform Google searches.

I gave the Toolbar a try and performed a search for the keyword phrase “homemade pipe bomb” like in the screenshot below. Don’t judge me on my search criteria You know you’ve always wanted to make one… or if you’re on this site, maybe you already have.

After the search was performed I loaded up the EnCase Forensic Suite of computer forensics software to do some keyword searches to see what artifacts were created with this simple Google Toolbar search. The most prominent result was a file created by the Google Toolbar which contains the exact search phrases that are typed into and searched for with the toolbar. The file is located in the “Local Search History” folder which you can find at %username%Application Data\Google\Local Search History. The screenshot below shows this Google Toolbar history file viewed from within the popular EnCase Forensic software. Notice that the bottom pane shows the contents of the file and since I’ve only performed one unique search, there is only one entry in the file.

After seeing this Google Toolbar history file which contains the keywords that have been searched for, I wanted to see what exactly would happen when the “Clear History” option was chosen. You will notice that this option is located in the drop down box of previous searches which can be seen in the screenshot below.

Choosing this option will clear the search history log in the local search history directory which can be seen in the following screenshot. This screenshot was taken after the clear history option was clicked.

However, it will not get rid of any of the other artifacts and evidence of the search. Not only is the toolbar collecting search phrases but Internet Explorer will also be caching searches, HTML pages and more which can be seen in the following screenshot.

You’ll notice that by just clicking the simple “Clear History” option on the Google Toolbar, you will not get rid of all of the evidence that is created when you perform a Google search. You’ll notice from the same screenshot that an Index.dat file contains an entry for the Google search and that there is an HTML file (search[1].htm) cached in the Internet Explorer web browser temporary internet files directory which if loaded in a web browser, shows the search engine results page for the “homemade pipe bomb” search.

The Firefox web browser contains its own browser caches as well which will contain similar results if the Google Toolbar for Firefox is used. To get rid of all of these extra artifacts you will need third party software which has been specifically coded to wipe these other artifacts.

Remember that when you’re using wiping software you need to have the wipe settings set to do a single-pass wipe and not a normal deletion which does not include any writing over of files. You can usually set your wiping software to perform more than a single pass wipe but you’ll just be wasting your time.

If you’ve any questions, concerns or comments then please leave a comment using the form below. You can also contact me via the Contact Form or by leaving a post on the Anti-Forensics Forum.

Download Evidence Eliminator™ software and protect your PC from forensic investigations.

Click here to download

Description of Method

This anti-forensic method is basic and has been around for a while but it can be overlooked. The EnCase Forensic Software suite has two methods for identifying file types. These are:

1. File Extension (.exe, .jpg, etc.)
2. File Signature or “magic number” identification which is often located at beginning of file (such as the ASCII characters M and Z at the beginning of an executable file)

Here’s an example of where this method might be used:

A person may attempt to hide the existence of a RAR or Roshal Archive file on a Windows system by simply changing the file extension to some other file format, such as that of an  executable (.exe). This is in the hopes that when someone else attempts to run the now “exectuable file” (based on file extension) they will simply encounter an error and move on completely oblivious to the RAR archive full of goodies. A computer forensics examiner using EnCase should notice that the file extension (.exe) does not match the file signature (.rar) and should become suspicious that this executable is likely a RAR archive based on the file signature. So we need to make the file signature match the .exe extension.

By changing the file signature and file extension of a RAR archive to match that of an executable, a person can effectively hide the true file type of a particular file. This simple operation may be enough to cause a computer forensics expert to overlook that particular file since they will see no file signature mismatch within the EnCase computer forensics software and is not the type of file they are looking for. There are probably digital forensics examiners out there who will still overlook a file signature and file executable mismatch like that of the first example in the paragraph above but why take the chance when you can modify the file signature so easily? The steps for doing this will be outlined below and gone into further detail further down.

The Quick Steps

The anti-computer forensics method described below is fairly basic in that it only consists of two tasks:

1. Modifying a files extension (example: change mypictures.rar to mypictures.exe)
2. Modifying a files magic number commonly located at the start of the file (use a hex editor to modify the magic numbers at the start of a file)

The Details

To start, the hex editor I used to modify the file signature of the file is “XVI32“. Any hex editor will work though. Also, by default on a Windows XP system, common file extensions are hidden from the user. This will make it difficult to do something as simple as changing a file extension.

To show all file extensions:

1. Open “My Computer” and then choose “Tools” from the top menu
2. From the “Tools” menu choose “Folder Options”
3. Click the “View” tab and uncheck “Hide extensions for known file types”

There, you’re all set!

I first created a simple WinRAR Archive (.rar) and made three copies of it. The first copy I left alone and did not modify.  The second copy of the RAR archive had only the file extension modified. I changed the “.rar” extension to a “.exe” extension like in the example you read in one of the previous paragraphs. The third copy of the RAR archive had the file extension changed as well as the “magic number” (file signature) in the header of the file modified with a hex editor to that of an executable file.

The screenshot above is of the EnCase forensic software and our three WinRAR archives like explained in the previous paragraph. Notice that the RAR that is selected in the screenshot is the unmodified file. Notice that in the hex view at the bottom pane that the “magic numbers” (file signature) for the file is “52 61 72 21″ in hexadecimal. These 4 bytes show that this file is an actual RAR archive.

The screenshot below is of the unmodified WinRAR archive loaded in the XVI32 hex editor. The “magic numbers” or file signature for this RAR archive is right at the beginning of the file and is “52 61 72 21″ in hexadecimal and “Rar!” in ASCII.

To change the file signature of this RAR archive we simply take the file signature of an executable file and add it to the start of this file. The screenshot below shows the modified RAR archive which now has an executable file signature.

Notice that “4D 5A” or “MZ” was added to the start of the file. This is the file signature for an executable.

Now, with all modifications finished and saved I then used the keyword search feature in EnCase to perform a file signature analysis across these three files.

This analysis is supposed to determine if the file signature matches the file extension for a file and if it does not, it will add “Bad Signature” to the “Signature” column within EnCase.

Here are the results of the analysis search:

Notice that for whatever reason, EnCase has determined that the original RAR archive has a “bad signature”. This is a false positive as the original archive has not been modified in any way.

You will notice that the top file in the list which had only the file extension changed to “.exe” from “.rar” shows “bad signature” as expected. However, the WinRAR archive which had both the file signature and file extension changed to that of an executable now shows as a “match” for this file being an executable file!

This simple technique has effectively fooled the EnCase forensic software. Now you can reverse this simple modification by changing the “magic numbers” back to that of a RAR archive so that the archived contents may once again be accessed.

Limitations

This technique can be limited depending on the situation. For example, if you attempt to “hide” the existence of a file which contains a lot of strings that could give it away, then it will be pretty obvious to a computer forensics examiner when he or she manually checks out that file. It can also be easily discovered if a keyword search is performed across the entire hard drive and the modified file contains one of those keywords which were part of the search.

If you’ve placed documents in a WinRAR archive and you’ve also provided a password for that archive, then the file names of those documents that you’ve placed in archive will still be visible to anyone who views it with a hex editor or with a similar software or technique. You’ll need to choose to “Encrypt file names” as you set a password for the RAR file. You can see in the example screenshots of EnCase above that I’ve placed an empty document in the RAR archive but did not choose to encrypt the file names of the files in that archive.

There are situations where someone may use this technique, so it’s not totally useless but depending on the type of file you’re modifying, it might just be too obvious. An example that sticks out in my mind of where this would work would be a password protected WinRAR archive with encrypted file names. If you wanted to hide the existence of data inside a modified archive like this it would probably be pretty difficult for an examiner to figure out that the file is not actually an executable file or whatever file type you’ve actually modified the signature and extension to be. I would go a step further and modify the timestamps of the file with Timestomp and place that file in a time frame that is as far from suspicion as possible.

If you’ve any other ideas, tips, want to point out a mistake and so on and so forth, please comment below!

Google Mail is a powerful engine for spammers. You might have had spam hit your inbox from a gmail address at some point. So what makes this email service from Google such a great staging platform for mass mailing?

Well, when an email is sent from most web mail providers, the origin IP address (the IP address where the service was accessed from) is usually included in the email’s header. However, email sent through Google’s web mail contain no origin IP address in the email’s header. This means that spammers do not have to deal with rotating or masking their sending IP address which will get blacklisted fairly quickly when mass mailing. The usual filters still need to be bypassed to send mass amounts of email to inboxes.

Some of these filters include:

• Strings of words and phrases that appear in the bodies of many emails
• Similar email subject lines
• URLs included in emails which direct recipients of spam to landing pages or offers

These filters can generally be bypassed fairly easy as well. Mailing software exists that will allow someone to craft emails that pull URLs from a large list at random. This allows a spammer to generate many domains and URLs which all redirect to their offers landing page. This keeps anti-spam filters from marking messages as spam based on the URLs in the email subject and body as the URL may be different for over 100 emails or more.

This same mailing software usually includes the ability to generate email subjects and body’s dynamically. Such as allowing unlimited variations of words and phrases so that there may be up to a million different variations of the same basic email template.

Combine these dynamic emails with no origin IP address and you’ve an excellent engine to send spam email.

Gmail will enable a “CAPTCHA” on accounts which have tripped Google’s outgoing spam filters. This means that the account will need to be logged into with the CAPTCHA solved correctly before anymore email can be sent from this account.

So you think it would be harder to really send a lot of spam? Well not so much. There are automated services which allow automatic CAPTCHA solving. Such as the service provided at decaptcher.com. The FAQ on decaptcher.com states:

DeCaptcher CAPTCHA solving is processed by humans. So the accuracy is way more better than an automated capctha solver ones.

The CAPTCHA’s solved by this service generally take between 10 and 30 seconds and CAPTCHA’s can be sent to decaptcher for processing through API provided in many different languages. This makes coding software to use this service very easy and profitable for both programmers and those who dabble in mass mailing or using any other service which requires a CAPTCHA.

A tool which can automate the process of logging into Gmail accounts, solving CAPTCHA’s when needed, and sending email can be very expensive. Mailing software like this can sell for over a thousand US dollars but in the hands of the right person that is just the result of a few hours of work.

Google has also implemented limits on outgoing email. Gmail caps its web mail at 500 outgoing messages per day and their SMTP service will deliver 250 outgoing email messages per day.  So to get around this you can simply purchase Gmail accounts by the thousands or make them yourself with automated software (or manually if you’re crazy) which can also have the DeCaptcher service implemented. Typically, Gmail accounts are sold in packs of 1,000 for between $15 and $20.

Computer forensic examiners should keep all of this in mind when they’re working a harrassment case or equivalent where the offending email was sent from Gmail. You won’t find the originating IP address in the headers of those emails as long as they were sent via the web interface of Gmail.

To test this:

1. Log into your Google mail account and send an email to one of your Yahoo or Hotmail email addresses
2. View the source of the email (right-click on email in the inbox and view source – in Hotmail)
3. Notice the IP in the header is one of Google’s and not yours

Now if the one who sent the email used an IP address not associated with them in any way to create and then access the Gmail account, then you’re pretty much out of luck. You’ll notice I haven’t cited any sources for purchasing Gmail accounts and Gmail mailers. You should be able to find these yourself with… Google.

The thumbs.db file on a Windows XP system can be a treasure chest of 96 x 96 pixel artifacts. By default, in the standard Windows XP home and professional editions, a thumbs.db file is created in folders viewed in the thumbnail view which contain jpegs, bitmaps, GIFs, PNGs and other files.

These thumbs.db files are very useful to forensic examiners because they can contain thumbnails of pictures and other media which currently exist and previously existed in the same directory as the thumbs.db file.

The screenshot below shows a view of the contents of a thumbs.db file from within an older version of EnCase. The pictures were previously located in the same folder as the thumbs.db file but were erased. However, as you can see the thumbnails of these pictures still exist in the thumbs.db file.

It’s very easy to disable thumbnail caching on a Windows XP system so that existing thumbs.db files are not updated with new thumbnails and new thumbs.db files are prevented from being created. Just follow the instructions below.

1. Open explorer
2. Click the “Tools” menu
3. Choose “Folder Options…”
4. Select the “View” tab
5. Under “Files and Folders” checkmark “Do not cache thumbnails”

The actual registry key value that is modified which you can change manually is located here:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

Modify the value: DisableThumbnailCache

Remember that you have only disabled thumbnail caching and any previous thumbs.db files still exist on the system. To find these files you can run a simple search from explorer for the file name “Thumbs.db”.

You could just delete all of the thumbs.db files that show up in the search results but then they could be recovered with simple data recovery techniques. So the best way to delete the files is with file wiping software like CCleaner which I’ve mentioned in previous articles.

You are able to add custom files to the wiping sequence in CCleaner like in the screenshot below.

Also remember to set CCleaner to do a one pass wipe over the file when it deletes it. Otherwise the thumbs.db files that were deleted can still be recovered.

If you’ve any tips or suggestions you’d like to add, please comment below.

This article covers the USBSTOR registry key and the setupapi.log file and methods to delete them. These two artifacts can contain data regarding USB devices that have been plugged into a system.

There are other things you should be aware of as well which are covered in this article. Sometimes just deleting a registry key or file is not enough.

USBSTOR Registry Key

The USBSTOR registry key contains subkeys which are created when USB devices are plugged into the system. The location of this registry key on a Windows XP system is: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR

As an example, I’ve setup a fresh Windows XP virtual machine and popped in a single thumb drive. A subkey under USBSTOR was created based off of the USB thumb drive that I used. I used an OCZ Rally USB thumb drive, check the screenshot below.

To delete this registry key and or subkeys you must first right-click the key and choose permissions. You can then set the “everyone” group with full permission to the key or subkeys so that they can then be deleted. I’m sure it isn’t too difficult to whip up a script or piece of software to automate this.

So, you’ve deleted the key and you’re good to go, right?

Well, maybe. If you’ve had system restore active then there are copies of this key in most likely every system restore point. Make sure you’re aware of what registry software you’ve run on your system as well. Even CCleaner (which I talk about below) has a registry cleaner which will by default prompt the user to backup the registry.

setupapi.log Plain-text Log File

The setupapi.log is located in the %windir% directory on Windows XP systems. The setupapi.log contains entries for driver installations of USB devices that have been plugged into the system and much more. It’s quite the little treasure chest of artifacts and should be dealt with. See the screenshot below of the setupapi.log on a virtual machine after I plugged in a USB OCZ Rally thumb drive.

Why would you want to get rid of the log?

Well, if an examiner needed to see what devices had been plugged into the system, this would be one of the spots they would look.

What’s the best way to get rid of the log?

Just delete it. Preferably with a single pass wipe through wiping software such as CCleaner. If you’re not already using CCleaner, you should be. Be sure to go through all the settings in CCleaner and be sure to set it to do a one wipe pass over files like in the screenshot below. Otherwise it is possible to recover this log file with basic data recovery techniques.

Also, setting CCleaner to do more than one pass is just wasting your time (previous article).

You can add custom files and directories to include in the wiping process. This is where you would add the setupapi.log file located in the C:\windows directory, just like in the screenshot below.

For more information on what is contained in the log take a peek at this article on microsoft.com.

If you’ve never used CCleaner I recommend it for taking care of the many temp files on your system. What’s even better is it has the ability to wipe the file and not just delete it.

If you have any tips or suggestions to add to the article then I encourage you to share them with a comment below.

Next Page →

Search

Subscribe