-
January 13th, 2005, 12:57 PM
#1
Junior Member
Looking for evidence of ZDelete being used
Hi all, was wondering if you could help me out with a query.
I've recently started as a digital forensic analyst, and am undergoing training in Encase, FTK and several other forensic tools. I'm currently asssisting another analyst with regards to a case where we have a hunch that the suspect used a disk-cleaning utility (most likely ZDelete) to erase certain files.
We can't find any solid evidence to say whether he has or not, but doing a keyword search revealed some deleted files that aroused suspicion regarding use of ZDelete. Could anyone recommend what to look for to see if ZDelete had once been installed on the suspect's hdd?
Thank you for your time
-
January 13th, 2005, 01:12 PM
#2
I think there might be some stuff in the registry left (most software leaves crap in the registry)
Don't have any experience with ZDelete though..
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio the best station for C64 Remixes !
-
January 13th, 2005, 01:18 PM
#3
Junior Member
Nope, unfortunately not, already checked there and couldnt find anything like ZDelete or LSoft Technologies (the company that makes ZDelete).
Thanks for your suggestiong though
-
January 13th, 2005, 01:51 PM
#4
I know that Encase has a selection of scripts you can download and use. One of which will show Installed software.
The scripts that I have seen are quite old now, have not looked at what is available for some time.
Have you checked out what they have to offer?
In any case if you run the correct script you maybe able to find some traces of Zdelet in unalocated area, perhaps.
Anyway good luck.
What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry
-
January 13th, 2005, 01:58 PM
#5
Well,
Whatever the guy used could have been on a CD, then you wouldn't find anything because it was never installed.
You might get the trial of ZDelete and load it onto another machine and find what traces it leaves. At least you would then know what you were looking for and where to look.
Just a thought
-
January 13th, 2005, 02:00 PM
#6
Junior Member
Both good ideas, cheers gentlemen, will try them after lunch
-
January 13th, 2005, 02:51 PM
#7
You are working on forensics. So you have other choices as well. Well, try to look for names of deleted files from the FAT/NTFS. If that doesnt helps. Recover everything that you can recover in raw mode. I mean any bit/byte you can recover. After you have recovered the raw stuff try run a search on that raw data for the strings used by Zdelete. Strings that they use in their text for menus, Dialogue boxes or anything else. Well windows supports unicode. So you may have to try many strings. And try those strings wich will firmly ensure these are from Zdelete only.
Download Zdelete, Open one of the files in IDA Pro, and then under strings tab , right click->setup and unselect unicode. Now refresh(right click). This may prove to be the starting point for what strings to be searched for.
Hope this helps.
guru@linux:~> who I grep -i blonde I talk; cd ~; wine; talk; touch; unzip; touch; strip; gasp; finger; mount; fsck; more; yes; gasp; umount; make clean; sleep;
-
January 13th, 2005, 03:53 PM
#8
Junior Member
Thank you NullDevice, that sounds pretty useful
-
January 13th, 2005, 05:40 PM
#9
Hi,
This looks somewhat relevant to what you are trying to do?
http://archives.neohapsis.com/archiv...3-q4/0036.html
-
January 14th, 2005, 01:03 AM
#10
Wether or not files have been deleted, the chances are, there will be traces of those file in unalocated sectors of the suspect hdd.. If you could be more specific about what you are looking for.............I may be able to point you to the best enscript to run against your evedidence file.
What happens if a big asteroid hits the Earth? Judging from realistic simulations involving a sledge hammer and a common laboratory frog, we can assume it will be pretty bad. - Dave Barry
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|