Evidence Eliminator

Topics including TCP/IP, OSI, Netbios, exploiting share, proxies and much more

Evidence Eliminator

Postby weazy » Fri May 30, 2003 5:58 pm

Everyone has privacy concerns when it comes to their computer data; but sometimes privacy must take a back seat to the protection of the public. This is evident today as we wait in long lines at the airport and subject ourselves to metal detectors at World Series games. I personally am a big proponent of privacy. That's probably because I'm a big proponent of my rights as a US citizen. I draw the line when people view pictures (at work) of people engaging in oral sex with cows or people who are into kiddie porn. I frankly have no mercy for the people who engage in these activities; and so our story begins...




Recently, it was brought to my groups attention that a co-worker was viewing "inappropriate content" on his supplied computer. I don't know where you work... but where I work this type of thing can be very bad (financially and politically). We had no choice but to begin an investigation.

It all started with monitoring the HTTP traffic on our network... something we don't do on a regular basis. We downloaded the evaluation version of SurfControl's Superscout Webfilter and mirrored the port of the alleged offender. We plugged the monitoring station into the mirrored port and waited to see what turned up. Immediately we saw signs of "inappropriate activity", but we still waited so we could have a fairly long-term trend (log) of these activities. After about 5 days, we had seen enough. The "big boss" called a meeting with the alleged offender and placed him on administrative leave.

This story doesn't end there. While the alleged offender was being escorted off the property, he was allowed to log off of his computer. This is not standard policy and our group was not informed of the notification to the alleged offender. The alleged offender logged off his computer, and we were told by those who waited for him, that the alleged offender was not at his computer for longer then one minute.

With the alleged offender off the property, we could begin to look for clues on his machine that would implicate him further and correspond to the traffic logs we had previously generated. What I found was astonishing! The entire hard drive was clean as a babies butt, like a fresh new image. No temp files, no cached data, no registry information pertaining to Internet Explorer history, nothing at all. I am quite familiar with the hiding places where Internet Explorer stores data... data which is not erased when you clean your files (deleting all temp files and offline content), nor when you erase your history.

There are documents which describe these "really hidden" places: Here or Here

What is a poor overworked underpaid brother from the hood supposed to do? Tricked by the man again? Nope. I kept looking. I examined every directory, which took me another 5 minutes (not a lot of stuff stored local). I found virtual girl... a lame spyware program that makes semi-nude women prance around on your desktop, and I found an invalid system link to "Evidence Eliminator Safe Delete". I realize that my suspicions are true and the alleged offender cleaned his hard drive. He obviously followed that by deleting the Evidence Eliminator system folder from Windows.

I personally haven't had a need to use Evidence Eliminator so my knowledge base was a little slim. I'm not too worried though because we have access to Encase Forensic Software (used by law enforcement agencies world-wide). So I decided to get the scoop on Evidence Eliminator.

Here's what Evidence Eliminator site say's, and I quote:

Evidence Eliminator™ is proven to defeat the exact same forensic software as used by the US Secret Service, Customs Department and Los Angeles Police Department (LAPD).

It is a proven fact... routine Forensic Analysis equipment such as EnCase and F.R.E.D. used by Private and Business Investigators, Law-Enforcement and others, can recover evidence from parts of your hard drive that you thought were empty, parts that you had cleaned.

Should I give up? Has shaft been shafted by the man again? Shaft after all is a private dick who's a sex machine to all the chicks... he's not a l337 phj34r m3 L4PD F0r3ns1c H4x0r. "What the hell... I might as well put Evidence Eliminator to the test", I thought. I attached the confiscated computer to Encase's Fastbloc (a hardware device which essentially mirrors the hard drive you want to examine).

Here's Encase's pitch for the FastBloc:

Computer investigations require fast, reliable ways to acquire digital evidence. FastBloc Data Acquisition Hardware is a hardware write blocked device. FastBloc enables the safe acquisition of source media in Windows to an EnCase evidence file. Until the development of FastBloc, non-invasive acquisitions were only conducted in DOS environments. FastBloc employs innovative technology that allows for non-invasive Windows acquisitions and subsequent verification.



FastBloc is not a stand-alone product. When attached to a computer and a source hard drive, it provides investigators with the ability to preview or acquire data in either a Windows or DOS environment. The unit is lightweight, self-contained, and portable for easy field acquisitions, with on-site verification immediately after the acquisition.



Here's Encase's pitch for their software:

EnCase features a graphical user interface that enables examiners to easily manage large volumes of computer evidence and view all relevant files, including "deleted" files, file slack and unallocated data. The integrated functionality of EnCase allows the examiner to perform all functions of the computer forensic investigation process, from the initial "previewing" of a target drive, the acquisition of the evidentiary images, the search and recovery of the data and the final reporting of findings, all within the same application.

Further, EnCase methodology allows the examiner to perform these processes in a non-invasive manner, meaning not one byte of data is changed on the original evidence. The final reports and extracts generated by the built-in report feature documents the investigation results and integrity of the original data with a clear and concise chain of custody to ensure the authentication of the examined electronic evidence in a court of law.

The time had come to view the hard drive and guess what I found? 333 pictures of questionable material which included men having sex with cows and dogs. Now when I say cows and dogs, I don't mean Roseanne Barr and Sandra Bernhardt; I mean Shamrock and Fido. Encase printed out a detailed report of the violations (157 pages long!) and though I find Encase's GUI to be rather cumbersome, it provided everything I needed to go to management and get the offender (no longer alleged) permanently "retired" from our organization.



If your looking to securely delete files might I suggest a large magnet, a large magnifying glass, or a large sharp axe.



In an ironic twist, Encase also recovered the previously deleted Evidence Eliminator files...



Case Closed.

of the public. This is evident today as we wait in long lines at the airport and subject ourselves to metal detectors at World Series games. I personally am a big proponent of privacy. That's probably because I'm a big proponent of my rights as a US citizen. I draw the line when people view pictures (at work) of people engaging in oral sex with cows or people who are into kiddie porn. I frankly have no mercy for the people who engage in these activities; and so our story begins...




Recently, it was brought to my groups attention that a co-worker was viewing "inappropriate content" on his supplied computer. I don't know where you work... but where I work this type of thing can be very bad (financially and politically). We had no choice but to begin an investigation.

It all started with monitoring the HTTP traffic on our network... something we don't do on a regular basis. We downloaded the evaluation version of SurfControl's Superscout Webfilter and mirrored the port of the alleged offender. We plugged the monitoring station into the mirrored port and waited to see what turned up. Immediately we saw signs of "inappropriate activity", but we still waited so we could have a fairly long-term trend (log) of these activities. After about 5 days, we had seen enough. The "big boss" called a meeting with the alleged offender and placed him on administrative leave.

This story doesn't end there. While the alleged offender was being escorted off the property, he was allowed to log off of his computer. This is not standard policy and our group was not informed of the notification to the alleged offender. The alleged offender logged off his computer, and we were told by those who waited for him, that the alleged offender was not at his computer for longer then one minute.

With the alleged offender off the property, we could begin to look for clues on his machine that would implicate him further and correspond to the traffic logs we had previously generated. What I found was astonishing! The entire hard drive was clean as a babies butt, like a fresh new image. No temp files, no cached data, no registry information pertaining to Internet Explorer history, nothing at all. I am quite familiar with the hiding places where Internet Explorer stores data... data which is not erased when you clean your files (deleting all temp files and offline content), nor when you erase your history.

There are documents which describe these "really hidden" places: Here or Here

What is a poor overworked underpaid brother from the hood supposed to do? Tricked by the man again? Nope. I kept looking. I examined every directory, which took me another 5 minutes (not a lot of stuff stored local). I found virtual girl... a lame spyware program that makes semi-nude women prance around on your desktop, and I found an invalid system link to "Evidence Eliminator Safe Delete". I realize that my suspicions are true and the alleged offender cleaned his hard drive. He obviously followed that by deleting the Evidence Eliminator system folder from Windows.

I personally haven't had a need to use Evidence Eliminator so my knowledge base was a little slim. I'm not too worried though because we have access to Encase Forensic Software (used by law enforcement agencies world-wide). So I decided to get the scoop on Evidence Eliminator.

Here's what Evidence Eliminator site say's, and I quote:

Evidence Eliminator™ is proven to defeat the exact same forensic software as used by the US Secret Service, Customs Department and Los Angeles Police Department (LAPD).

It is a proven fact... routine Forensic Analysis equipment such as EnCase and F.R.E.D. used by Private and Business Investigators, Law-Enforcement and others, can recover evidence from parts of your hard drive that you thought were empty, parts that you had cleaned.

Should I give up? Has shaft been shafted by the man again? Shaft after all is a private dick who's a sex machine to all the chicks... he's not a l337 phj34r m3 L4PD F0r3ns1c H4x0r. "What the hell... I might as well put Evidence Eliminator to the test", I thought. I attached the confiscated computer to Encase's Fastbloc (a hardware device which essentially mirrors the hard drive you want to examine).

Here's Encase's pitch for the FastBloc:

Computer investigations require fast, reliable ways to acquire digital evidence. FastBloc Data Acquisition Hardware is a hardware write blocked device. FastBloc enables the safe acquisition of source media in Windows to an EnCase evidence file. Until the development of FastBloc, non-invasive acquisitions were only conducted in DOS environments. FastBloc employs innovative technology that allows for non-invasive Windows acquisitions and subsequent verification.



FastBloc is not a stand-alone product. When attached to a computer and a source hard drive, it provides investigators with the ability to preview or acquire data in either a Windows or DOS environment. The unit is lightweight, self-contained, and portable for easy field acquisitions, with on-site verification immediately after the acquisition.



Here's Encase's pitch for their software:

EnCase features a graphical user interface that enables examiners to easily manage large volumes of computer evidence and view all relevant files, including "deleted" files, file slack and unallocated data. The integrated functionality of EnCase allows the examiner to perform all functions of the computer forensic investigation process, from the initial "previewing" of a target drive, the acquisition of the evidentiary images, the search and recovery of the data and the final reporting of findings, all within the same application.

Further, EnCase methodology allows the examiner to perform these processes in a non-invasive manner, meaning not one byte of data is changed on the original evidence. The final reports and extracts generated by the built-in report feature documents the investigation results and integrity of the original data with a clear and concise chain of custody to ensure the authentication of the examined electronic evidence in a court of law.

The time had come to view the hard drive and guess what I found? 333 pictures of questionable material which included men having sex with cows and dogs. Now when I say cows and dogs, I don't mean Roseanne Barr and Sandra Bernhardt; I mean Shamrock and Fido. Encase printed out a detailed report of the violations (157 pages long!) and though I find Encase's GUI to be rather cumbersome, it provided everything I needed to go to management and get the offender (no longer alleged) permanently "retired" from our organization.



If your looking to securely delete files might I suggest a large magnet, a large magnifying glass, or a large sharp axe.



In an ironic twist, Encase also recovered the previously deleted Evidence Eliminator files...



Case Closed.
--The Devil is in the Details--
User avatar
weazy
Ex-Admin
 
Posts: 1688
Joined: Sun Jul 07, 2002 10:02 am
Website: http://www.hackerthreads.org
Location: any given

Return to “%s” Networking Tutorials

Who is online

Users browsing this forum: No registered users and 0 guests

cron