Difference between pages "Deception indicators" and "File:Hashkeeper.txt"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
m
 
(Create hashkeeper files, which can be imported into Encase. Given an input file containing a list of target files to be hashed the script will produce a pair of files in Hashkeeper format. This pair can then be imported into EnCase.)
 
Line 1: Line 1:
The following indicators may indicate that the user of a computer system is trying to hide their presence, implicate another individual, convey erroneous information, or otherwise attempt to deceive a forensic analysis or tool.
+
Create hashkeeper files, which can be imported into Encase.
  
Unfortunately, many of the deception indicators are also indicators of good security practice.
+
Given an input file containing a list of target files to be hashed the script will produce a pair of files in Hashkeeper format. This pair can then be imported into EnCase.
 
+
==File System Indicators==
+
* Files having the wrong extension (e.g. file.jpg instead of file.doc).
+
* Very large files (may indicate use of cryptographic file systems, virtual machines, etc.)
+
* Virtual Machine Players (VMWare, VirtualBox, Parallels)
+
* TrueCrypt or RealCrypt
+
* PGP files or Volumes
+
* PointSec
+
* Encrypted email
+
* Date or time wrong
+
* Repeating data over the drive
+
* Truncated history files
+
 
+
 
+
==Log File Indicators==
+
Log files that are:
+
* Missing
+
* Truncated
+
* With time gaps
+
* With one or more incomplete lines, or other lines that start midway (happens if the attacker removes the last 4K of a file without respect to line boundaries)
+
* Inconsistencies (e.g. email that is forwarded without being received.)
+
 
+
==Network Communications==
+
* Presence or use of VPN software.
+
* Use of anonymity websites, such as:
+
** anonymizer.com
+
** hidemyass.com
+
** Open Proxy Servers (got a list?)
+
* hushmail.com
+
* Setting a proxy server
+
* ssh
+
 
+
 
+
==Redaction Indicators==
+
* Evidence Eliminator
+
* ccleaner
+
* list of Drive Cleaner tools; searches for drive cleaning software
+

Latest revision as of 08:59, 6 February 2011

Create hashkeeper files, which can be imported into Encase.

Given an input file containing a list of target files to be hashed the script will produce a pair of files in Hashkeeper format. This pair can then be imported into EnCase.

Retrieved from "http://www.forensicswiki.org/w/index.php?title=Deception_indicators&oldid=10717"