Looking for evidence of ZDelete being used
Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: Looking for evidence of ZDelete being used

  1. #1
    Junior Member
    Join Date
    Jan 2005
    Posts
    5

    Looking for evidence of ZDelete being used

    Hi all, was wondering if you could help me out with a query.

    I've recently started as a digital forensic analyst, and am undergoing training in Encase, FTK and several other forensic tools. I'm currently asssisting another analyst with regards to a case where we have a hunch that the suspect used a disk-cleaning utility (most likely ZDelete) to erase certain files.

    We can't find any solid evidence to say whether he has or not, but doing a keyword search revealed some deleted files that aroused suspicion regarding use of ZDelete. Could anyone recommend what to look for to see if ZDelete had once been installed on the suspect's hdd?

    Thank you for your time

  2. #2
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Location
    Beverwijk Netherlands
    Posts
    2,535
    I think there might be some stuff in the registry left (most software leaves crap in the registry)

    Don't have any experience with ZDelete though..
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  3. #3
    Junior Member
    Join Date
    Jan 2005
    Posts
    5
    Nope, unfortunately not, already checked there and couldnt find anything like ZDelete or LSoft Technologies (the company that makes ZDelete).

    Thanks for your suggestiong though

  4. #4
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    I know that Encase has a selection of scripts you can download and use. One of which will show Installed software.

    The scripts that I have seen are quite old now, have not looked at what is available for some time.
    Have you checked out what they have to offer?

    In any case if you run the correct script you maybe able to find some traces of Zdelet in unalocated area, perhaps.

    Anyway good luck.
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

  5. #5
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Well,

    Whatever the guy used could have been on a CD, then you wouldn't find anything because it was never installed.

    You might get the trial of ZDelete and load it onto another machine and find what traces it leaves. At least you would then know what you were looking for and where to look.

    Just a thought
    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  6. #6
    Junior Member
    Join Date
    Jan 2005
    Posts
    5
    Both good ideas, cheers gentlemen, will try them after lunch

  7. #7
    Senior Member
    Join Date
    May 2003
    Posts
    472
    You are working on forensics. So you have other choices as well. Well, try to look for names of deleted files from the FAT/NTFS. If that doesnt helps. Recover everything that you can recover in raw mode. I mean any bit/byte you can recover. After you have recovered the raw stuff try run a search on that raw data for the strings used by Zdelete. Strings that they use in their text for menus, Dialogue boxes or anything else. Well windows supports unicode. So you may have to try many strings. And try those strings wich will firmly ensure these are from Zdelete only.

    Download Zdelete, Open one of the files in IDA Pro, and then under strings tab , right click->setup and unselect unicode. Now refresh(right click). This may prove to be the starting point for what strings to be searched for.

    Hope this helps.
    guru@linux:~> who I grep -i blonde I talk; cd ~; wine; talk; touch; unzip; touch; strip; gasp; finger; mount; fsck; more; yes; gasp; umount; make clean; sleep;

  8. #8
    Junior Member
    Join Date
    Jan 2005
    Posts
    5
    Thank you NullDevice, that sounds pretty useful

  9. #9
    Super Moderator: GMT Zone nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,190
    Hi,

    This looks somewhat relevant to what you are trying to do?

    http://archives.neohapsis.com/archiv...3-q4/0036.html

    If you cannot do someone any good: don't do them any harm....
    As long as you did this to one of these, the least of my little ones............you did it unto Me.
    What profiteth a man if he gains the entire World at the expense of his immortal soul?

  10. #10
    Regal Making Handler
    Join Date
    Jun 2002
    Posts
    1,668
    Wether or not files have been deleted, the chances are, there will be traces of those file in unalocated sectors of the suspect hdd.. If you could be more specific about what you are looking for.............I may be able to point you to the best enscript to run against your evedidence file.
    What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •