I recently received a few questions about the effects of running
Internet history sanitation tools such as CCleaner, when examining a
computer looking for internet related artifacts. CCleaner is a product
from a company identified as Piriform (
www.piriform.com),
and a version is freely available online and commonly used to
‘sanitize’ user activity. From the online documentation, CCleaner is
said to protect privacy by cleaning out Internet browsing history and
temporary internet files.
I have personally run into CCleaner on several cases when examining
digital evidence and found it to have a varying degree of effectiveness,
depending on exactly the types of artifacts you are trying to
find/recover after its use. CCleaner has the ability to clean and remove
information from several different locations, including the registry,
the recycle bin and even wipe the disk. For this article, I am focusing
on its effectiveness against the ability to recover Internet related
history after CCleaner has been run.
Using a well-used test machine (Windows 7) with several different
types of Internet related artifacts, I ran Internet Evidence Finder
(IEF) using the default options to get a baseline of the artifacts that
existed before running CCleaner. The test machine had artifacts from
Chrome, Firefox and Internet Explorer 10, as well as numerous other
application such as P2P, webmail, etc. Here is a snapshot of the just
the web related artifacts found before running CCleaner.
I then installed CCleaner on the test machine, just as a suspect
would, accepting the default installation options. From the CCleaner
interface, the following options were enabled by default.
I then ran CCleaner and received confirmation that it cleaned several locations related to Internet hisotry.
After running CCleaner, I then rebooted the test machine and reran
Internet Evidence Finder (IEF) using the same default options and was
still able to find almost all the artifacts that had been identified
before running CCleaner. In fact, some of the artifacts in some
categories went up, likely caused by artifacts existing in memory before
the reboot and then when the computer was shut down and rebooted, those
artifacts were flushed to disk (pagefile).
As many are aware, Internet artifacts are commonly found in memory
(which I did not examine in this example), and ultimately end up on disk
in the form of the pagefile or hibernation file. Many tools such as
CCleaner, have minimal effect on these files and therefore many of the
commonly sought after artifacts can still be found.
This example should be a clear example and illustration of how
important the collection of RAM can be regardless of the type of
investigation. It is also a good demonstration showing the importance of
searching for Internet-related artifacts even when you may find
evidence of ‘sanitation’ tools being used by the suspect. There are
several other freely available ‘sanitation’ tools available, each with
different varying results. The point of this post is to illustrate that
the potential benefits of running a search for Internet related
artifacts is well worth the effort, even when you fear they may have
been ‘sanitized’.
While the National Security Agency (NSA) makes nearly-daily headlines
about spying on people and their Internet activity, a new application
recently released to the public can reportedly crack passwords with 8
million guesses per second.
Posts
