what evidence is left after disk cleaners?
TRANSCRIPT
Digital Investigation (2004) 1, 183e188
www.elsevier.com/locate/diin
What evidence is left after disk cleaners?
Andy Jones*, Christopher Meyler
School of Computing, University of Glamorgan, Llantwit Road, Pontypridd, RCT, Wales CF37 1DL, UK
Accepted 21 July 2004
KEYWORDSForensics;Information;Disk-Scrubbing tools;Computer evidence
Abstract The process of user simply deleting evidence from a computer hard diskwill not ensure that it has been permanently removed. It is for this reason that manywill go to far greater lengths and use disk-scrubbing tools in an attempt topermanently remove information from storage media. This paper describes anexperiment that was carried out to assess the effectiveness of two different disk-scrubbing tools in removing data from a computer hard drive. The results of whichare discussed and conclusions made.ª 2004 Elsevier Ltd. All rights reserved.
Introduction
Investigators seek to recover forensic evidencefrom computer systems to determine what hasoccurred and to use this information to convict orabsolve a suspect. Evidence recovered may notspecifically relate to computer crimes, but to anycrime involving computers, such as terrorism,extortion or drug smuggling. Alternatively, infor-mation from computer storage media may simplybe recovered for the purpose of gathering in-telligence relating to the activities of the user(s).Tools and techniques for extracting data fromstorage media are improving, but more advancedusers are also beginning to recognize the benefitsof using more sophisticated methods to removepotential evidence and conceal their tracks to
* Corresponding author.E-mailaddresses:[email protected] (A. Jones), cpmeyle1@
glam.ac.uk (C. Meyler).
1742-2876/$ - see front matter ª 2004 Elsevier Ltd. All rights resedoi:10.1016/j.diin.2004.07.002
evade detection. Of course, the removal of datathat have been created for illegal or illegitimatepurposes from a computer hard disk is not the onlymotive for using tools such as disk scrubbers:legitimate motives for removing data could includethe deletion of classified or sensitive material,such as personal, governmental, military, or med-ical data.
In this paper, we describe an experiment thatwas carried out to ascertain if any evidence isleft on a computer hard disk drive after a disk-scrubbing utility had been used. The research wascarried out after a recent investigation in whichthe suspect had used a purchased version of anInternet cleaner to erase data from the hard diskdrive, during which a significant volume of in-formation that was useful to the investigation wasfound. The user in question was said to beknowledgeable, the system was fully patched,well managed, and had an up to date anti-viruspackage installed.
rved.
184 A. Jones, C. Meyler
To the vast majority of users, the obvious way toremove data from a disk is to delete it, but thisprocess will not ensure that it has been perma-nently removed. The file still resides on the diskand the data have remained unchanged until suchtime as it is overwritten by another file. A furthermeasure would be to reformat the hard disk drive.However, the problem with this is that again,contrary to common belief, most of the data onthe disk will remain untouched.
More knowledgeable and technically competentusers are aware that a simple deletion of files orthe formatting of a disk is not enough and will go tofar greater lengths to ensure that data cannot berecovered. Disk cleaners are software tools thatdelete and overwrite data on a disk, sector bysector, so that it cannot be recovered usingnormally available tools and techniques. Themajority of these tools have an option to carryout this task for a preset number of times to ensurethat no trace can be recovered. Random data arewritten to every sector of the disk making ittheoretically impossible to recover previouslystored data. There are a number of proprietaryand free software tools available that have varyingrates of success. Examples of such tools includeNTI’s DiskScrub (DiskScrub, 2004), Evidence Elim-inator (Evidence Eliminator, 2003), and SecureClean (Secure Clean, 2004; Tolvanen, 2004).
Related research
Related research has focused on discovering howmuch data can be recovered and restored onsystems that have been cleaned using EvidenceEliminator (Weston, 2003). The experiment in-volved a Microsoft Windows XP system and wasanalysed using the Guidance Software EnCaseEnterprise edition software suite. Evidence Elimi-nator was tested in both quick and full modes.Evidence of the file-sharing systems, KaZaA andSexter were created on the disk (Weston, 2003).The results proved to be interesting. In quick modevery few registry entries relating to KaZaA orSexter remained on disk. However, there wereabout 500 search results relating to KaZaA(Weston, 2003). This means that, at the very least,it is possible to determine whether or not file-sharing software has been used on a computer.When Evidence Eliminator was tested in fullmode there was evidence of KaZaA in unallocatedspace but nothing conclusive could be recovered(Weston, 2003). Other items of information tosurvive include the Windows Media Player database
and pagefile.sys. The author of the tests was alsoable to take the copy of the disk and restore itusing the System Restore facility included as partof Windows XP. The author of these concluded bysuggesting that Evidence Eliminator is very easy todefeat after it has been run in quick mode and thataccurate results can be achieved (Weston, 2003).More artefacts were deleted in full mode and therewere less data remaining in unallocated space. Itwas also concluded that the System Restorefacility within Windows XP can be useful forrecreating the crime scene.
In other, separate research, Guidance Softwarehas shown that it is possible to recover data erasedusing ‘cipher.exe’, the scrubbing feature of Win-dows XP. In this experiment the disk was wipedusing the facility and an image was made usingEnCase (Stone and Keightley, 2001). The resultsshowed that all unallocated space was filled withrandom characters. However, only a small portionof unallocated clusters and the Master File Table(MFT), which contains information about files andtheir directories, were actually wiped. The authorsfound that other areas of interest were also pre-served. For example, data in slack space, Registryfiles and the pagefile.sys were all recovered (Stoneand Keightley, 2001). Although the emphasis onthese experiments was slightly different in thiscase, the results seem to support the assertionthat it is still possible to recover intelligence aftera disk has supposedly been thoroughly wiped.
Methodology
The experiment that was undertaken involvedtests with two versions of one disk cleaner, whichwill remain anonymous for the purpose of thispaper. One of which was a free version and theother was a purchased version of the tool. Theywere each tested on disks containing the MicrosoftWindows 98 and 2000 operating systems, whichwere selected as they are still widely used,Windows 98 in the home environment and Windows2000 in the home and business environments. Ineach case the same common applications wereinstalled. The experiment took place in the fol-lowing way. Two hard drives were cleaned andpurged to ensure no data fragments remained. Thepurging of the disks was validated by examinationof the contents of both disks after the scrubbingprocess had completed. The first disk was thenbuilt as a Windows 98 OSR2 disk and formattedwith an FAT32 file system. The second was in-stalled with Windows 2000 Service Pack four and
Evidence left after disk cleaner 185
formatted with an NTFS file system. An image ofboth the disks was taken with Guidance Software’sEnCase version 4.16 to provide a clean image forcomparison and to prevent contamination of theoriginal data. The next step involved installinga set of applications on the disks. Both disks wereinstalled with Microsoft Internet Explorer version5.0, Microsoft Outlook Express and ICQ Lite (Build1300). Both the disks were then imaged again. Thenext stage of setting up the experiment involvedcreating a baseline of activity on the respectivesystems. This included evidence of Web browsing,including sites with pop-ups. Evidence of softwaredownloads, electronic mail exchanges, ICQ con-versations, and news group readers such as ForteFree Agent were also created. Once again, bothdisks were imaged using EnCase.
The free proprietary disk cleaner was used onboth disks with all the available options enabled.Likewise, the purchased cleaner was also used onimages of the Windows 98 and 2000 disks. All of theoptions were also enabled in this case. The diskswere again imaged after every clean. All theimages were compared and the files that hadknown MD5 message digests were removed fromfurther consideration. The remaining files andslack space were then analysed using EnCase andproduced a number of items of useful information.The steps can be summarised in the diagram below(Fig. 1).
Discussion of results
Free version
Using the free tool on the Windows 98 system lefta significant number of useful items of informa-tion. For example, temporary Internet files for thelast session remained intact (Fig. 2). In addition tothis, the ‘Index.dat’ file, which lists websitesvisited, was also intact. The analysis also managed
Clean & Purge Disks
Format Disks and Install the O.S.
Image Using EnCase
Create a Baseline of Activity
Image Using EnCase
InstallApplications
Image Using EnCase
Perform AnalysisUsing EnCase
Figure 1 An outline of the steps carried out during theexperiment.
to uncover a number of cookies. The Windows‘recent’ folder also remained and was found to beintact. The experiment also uncovered emails thatwere stored on the disk. Another noticeablefeature was that files that had been moved bythe user from the default location were stillpresent. It would be unreasonable to expect anydisk-cleaning utility to be able to remove theseartefacts, but it is not unusual practice for a userto move a file that they are interested in toa different location or directory. A number of fileswere recovered from the disk that had beendeleted but had not been overwritten as wouldhave been expected after the use of such a tool.
Forensic analysis on the Windows 2000 disk alsouncovered a number of significant artefacts thathad not been removed. Temporary Internet filesfor the last session remained intact (Fig. 3). The‘index.dat’ was also recovered, intact, from thisdisk. Like the Windows 98 disk, cookies and emailmessages were found to be still present on thedisk. Again, the experiment was also able to findfiles that had been moved by the user and it wasalso the case that files were recovered that hadbeen deleted but not overwritten. The disk exam-ination also found application data, including datasaved by news group readers that were outside thebasic configuration of the cleaner.
The index.dat file provides a useful indication ofthe type of Internet activity that had been carriedout from the computer. Fig. 4 shows the filerecovered from the Windows 98 test system.
Purchased cleaner
An investigation of the disk wiped with thepurchased version of the proprietary cleaner onboth the disks containing Windows 98 and 2000operating systems also revealed that swap filescould still be recovered. Cookies and email mes-sages were also found, as in each of the previoustests. Files that had been moved from the defaultlocation by the user were again found. The‘index.dat’ files were found, but using this versionof the tool, the contents had been erased.
Useful information gained included the websitesvisited, the date and time on which it occurred,the user who was logged in at the time in questionand the host address.
Conclusions
In this paper we have described an experimentthat was carried out in an attempt to uncover datathat remained on a system after disk-cleaning
186 A. Jones, C. Meyler
Figure 2 Files recovered from the Temporary Internet Files folder.
Figure 3 A recovered web page.
Evidence left after disk cleaner 187
Figure 4 A recovered Index.dat file.
tools had been used. A number of useful conclu-sions may be derived from the experiment. Theaim of the experiment was to assess the generaleffectiveness of disk-cleaning tools as they arecommonly used and to make comparisons betweenfree and purchased versions of the software.Several important conclusions were reached. Ineach of these tests the system retained enoughinformation for an investigator to identify a cleartrail of activity. The test cases were meant tosimulate the activities of a more knowledgeableand competent user, however, despite this, thetrail of activity still remained. Therefore, it isreasonable to conclude that completely cleaningcomputer hard drives of any evidence of activity isbeyond the capability of most users and it is likelythat there will almost normally be some indicationof their activity left behind. Although this does notprove that more knowledgeable users would bemore successful in removing data, experience ofa number of investigative cases shows us the moreknowledgeable and experienced the user, themore thoroughly they are likely to cover theirtracks. Most users leave a clear trail of activity.
The evidence recovered from the system wouldbe useful in establishing a profile of usage for thecomputer being examined. For example, websitesvisited, files downloaded, evidence of conversa-tions from chat logs, evidence of file sharing and the
types of software applications stored and executedon the system. The establishment of such a patternwould facilitate the identification of a Modus Oper-andi (MO) of the user e the method employed tocommit the crime. Clearly, recreating the systemby using techniques such as those described inrelated research would aid this process. It ispossible that the data that remain on the hard diskof a computer after a cleaning tool has been usedmay still be useful as evidence. Therefore, wherepossible, intelligence should be gathered using thesame guidelines as those used to acquire digitalevidence in order to retain any evidential value.
This experiment has focussed on the perspectiveof an investigator attempting to find informationrelating to illicit activity or a crime. Conversely,organisations or individuals may have a legitimatereason for destroying data. For example, it is notuncommon for organisations to donate obsoleteand out of date computer equipment to charitiesand schools. In this case the organisation may wishto remove sensitive or classified company data,such as financial accounts, sales figures, or secretsrelating to years of research and development ofa particular product. Medical organisations may tryto remove sensitive information, such as medicalrecords relating to patients. Clearly, there wouldbe ramifications for those organisations if the datawere to be leaked. Therefore, this experiment also
188 A. Jones, C. Meyler
has implications for legitimate usage of disk-clean-ing tools. Organisations such as the ElectronicFrontier Foundation (EFF, 2004) and the ElectronicPrivacy Information Centre (EPIC, 2004) wouldprovide a useful source of advice for these organ-isations. Alternatively, the organisations may wishto consider other ways of removing data such asphysically destroying the storage media.
It is also concluded that the ‘free’ version ofcleaning tools tend to give the user the impressionthat data have been eradicated, when in fact ithas not, whereas purchased tool versions are likelyto be more effective. Likewise, tools that adhereto official standards and guidelines such as the DoD5220.22-M (1995) standard are also likely to bemore thorough. Finally, while the experiment didnot cover all tools it should still provide a usefulinsight into the kinds of evidence that can berecovered from electronic storage media that havebeen cleaned.
Future work
There has been little research in the use of disk-cleaning utilities and the recovery of data. Futureresearch into the use of disk-cleaning tools willinclude a detailed comparison of different file
wiping utilities to determine which are better atremoving data. Another future area of research willbe to develop techniques to determine whetherdisk-scrubbing tools have been used.
References
DiskScrub: New Technologies Incorporated; 2004, !http://www.forensics-intl.comO [retrieved 12th February 2004].
DoD 5220.22-M. National industrial security programme operat-ing manual: The USAID Department; 1995, !http://www.usaid.gov/policy/ads/500/d522022m.pdfO [retrieved 8thMarch 2004].
EFF: The Electronic Frontier Foundation; 2004, !http://www.epic.orgO [retrieved 9th March 2004].
EPIC: The Electronic Privacy Information Centre; 2004, !http://www.epic.org/privacy/tools.htmlO [retrieved 9th March2004].
Evidence Eliminator: Robin Hood Software Ltd; 2003, !http://www.evidence-eliminator.comO [retrieved 15th July 2003].
Secure Clean: Access Data Corporation; 2004, !http://www.accessdata.comO [retrieved 9th March 2004].
Stone K, Keightley R. Can computer investigations surviveWindows XP and its effects on computer forensics? GuidanceSoftware; 2001, !http://www.guidancesoftware.com/O[retrieved December 1st 2003].
Tolvanen S. Sami Tolvanen’s forensic tool site, !http://www.tolvanen.com/eraserO; 2004 [retrieved 10th March 2004].
Weston, R. Defeating Evidence Eliminator. Microsoft PowerPointpresentation, personal communication; 2003.