This article is a follow-up from one I did last week on when a person may use a sanitation tool such as CCleaner to “clean” their Internet history and other activity. In that article, I discussed how many artifacts are left behind even when the subject uses CCleaner using the default “cleaning” options:
Image may be NSFW.
Clik here to view.
In the previous article and example, I did not use the “wipe free space” option under the “advanced category. This option is not selected by default, but I received a lot of feedback and questions from readers about the results if the user uses the “wipe free space” option.
Selecting this option causes CCleaner to wipe unallocated clusters and while that may sound horrible from a forensic perspective, it commonly does not turn out that way. There are a few limitations to wiping “free space”. The most important is related to the size of a cluster on that file system. The default cluster size for an NTFS volume is 4,096 bytes. This means that every file, regardless of size (excluding NTFS resident files), will get the minimum of 4096 bytes on disk to store data. Where this comes into play is when a subject deletes a file and a new small file is created and occupies a cluster where there were some artifacts. If the new file is smaller than 4096 bytes, there could be quite a bit of data left behind in the file slack space that is still accessible to forensic tools and is not wiped using the “wipe free space” option.
The second and probably more important fact is that many artifacts get placed into RAM, which make their way into the pagefile. As mentioned in the previous article, CCleaner (and many other “sanitation” apps) do not affect the pagefile (or hiberfil.sys) where many of the artifacts are likely to be found. Obviously, mileage will vary depending on how long after the artifacts were created until a wipe of free space and an evidence collection is performed, but from an artifact & evidence perspective the wiping of free space will likely remove some Internet artifacts, but many are left behind in other areas.
Here are the results of running IEF to find Internet artifacts before I ran CCleaner (on the left), then I ran CCleaner with the “wipe free space” option selected and ultimately rebooted the computer (to simulate a shutdown at the end of the day), then re-ran IEF to find artifacts after the wipe option was used (right side).
Image may be NSFW.
Clik here to view.
CCleaner options and progress during the ‘cleaning’ process:
Image may be NSFW.
Clik here to view.
Image may be NSFW.
Clik here to view.
The point I made in the first article still remains valid in this example. The subject can use all sorts of ‘sanitation’ or anti-forensic techniques, but there are many artifacts left behind in areas that these consumer-level tools do not address or affect, that even when used, a full Internet artifact analysis is still worthwhile and likely to produce results.
As always, if you have any comments, suggestions or questions,
you can contact me directly at: lance (at) magnetforensics.com
Clik here to view.
