Blog: SANS Digital Forensics and Incident Response Blog

Blog: SANS Digital Forensics and Incident Response Blog

Computer Forensics: Using Evidence Cleaners to Find Artifacts

I have used CCleaner for years and it is one of the first programs I put on new computers. It has handy functions to clean up temporary files, logs, and even the Registry. While many can argue that such a program may help erase digital evidence, it can also shed light on where to look for important items of interest.

CCleaner used to store settings in the Registry, but has now opted to use an .INI file to assist in application portability. This is a great asset to forensic examiners who like to research new artifacts. The default installation has the necessary .INI files embedded within the executable, but they are usually available for download in this support thread (forum registration required). Lifehacker recently posted an article about the enhanced version of the application .INI file which can be downloaded towards the bottom of the article.

Here are two entries from the application .INI file:

[*LimeWire]
LangSecRef=3022
DetectFile=%ProgramFiles%\LimeWire\LimeWire.exe
Default=True
FileKey1=%userprofile%\Incomplete|*.*|RECURSE
FileKey2=%userprofile%\Application Data\LimeWire|fileurns.cache
FileKey3=%userprofile%\Application Data\LimeWire|createtimes.cache
FileKey4=%userprofile%\Application Data\LimeWire|responses.cache
FileKey5=%userprofile%\Application Data\LimeWire|ttree.cache
FileKey6=%userprofile%\Application Data\LimeWire|gnutella.net

[Windows Media Player]
ID=2033
LangSecRef=3023
Detect=HKCU\Software\Microsoft\MediaPlayer\Player
Default=True
RegKey1=HKCU\Software\Microsoft\MediaPlayer\Player\RecentFileList
RegKey2=HKCU\Software\Microsoft\MediaPlayer\Player\RecentURLList
RegKey3=HKCU\Software\Microsoft\MediaPlayer\Preferences|LastPlayList
RegKey4=HKCU\Software\Microsoft\MediaPlayer\Preferences|LastPlayListIndex
RegKey5=HKCU\Software\Microsoft\MediaPlayer\Player\Settings|SaveAsDir
RegKey6=HKCU\Software\Microsoft\MediaPlayer\AutoComplete\MediaEdit
RegKey7=HKCU\Software\Microsoft\MediaPlayer\Radio\MRUList

All of the entries within the .INI files follow similar format. CCleaner only shows options to clean those programs that it knows exist on the system by using the "Detect" key to determine if a program has been installed. The entries that follow are items that will probably be of interest to a forensic examiner. The items that are listed are what CCleaner will attempt to delete or erase and are typically log files or Most Recently Used entries.

Irongeek.com posted a similar article showcasing areas of interest that are cleaned using Nirsoft.net's CleanAfterMe tool. CleanAfterMe doesn't use an .INI file, but does create a log of items that it's cleaned. You can run the program and look at the logs to see where each cleaning option points to. There are a multitude of other evidence cleaning programs that can provide similar intel. Even if there is no .INI file or log file, you can still use something like Process Monitor to see what is actually happening when the program is ran.

In my opinion, if someone was to take CCleaner's .INI files and create a tool that does the exact opposite of CCleaner - parse each item and create an information report instead of cleaning them, they would have one heck of a triage tool.

Matt Churchill currently manages the digital forensics practice at Continuum Worldwide and has earned the GCFA, CFCE, CCE, and CISSP certifications. You can follow him on Twitter @matt_churchill.

3 Comments

Posted August 17, 2010 at 10:47 PM | Permalink | Reply

Windows 7

Howdy, How can i sign up for your rss? I can't find your rss link

Posted August 18, 2010 at 12:57 PM | Permalink | Reply

Dave Hull

There's an orange and white RSS icon on the right-hand side of the page, if you click it, you can subscribe to the RSS feed for the blog.

Posted June 29, 2011 at 7:50 AM | Permalink | Reply

urs

hi,

great article. thanks. do you know until which release version ccleaner used the stored settings from the registry?

Post a Comment






* Indicates a required field.