Help! How do you nullify the effects of Go.DriveClean

StanP

New Member
Mar 17, 2008
9
0
#1
I have been trying to determine internet activity on a computer. I used the program TotalRecall which read the index.dat files and gave me the information that I needed. I discovered that previously, someone had gone in and ran the program Go.DriveClean which set all the access time dates to time that program was run. My problem is that I cannot establish access times because they have been modified. Is there a way to undo Go.DriveClean and find the actual times? Any help would be appreciated.

Thanks
 

RobertR

New Member
Jun 3, 2007
447
0
#2
Nope..... once the time and date stamps have been changed they are changed........ you can however look at other information to help establish times for the files..... if you have history files they may have references to the files in questions with time and dates associated...l you may also find references to the files in the registry with last written time etc....

also look at the suspect web pages them selves... some developers are kind enough in placing information in web pages of advertisements give date and time information as well and ip addresses of the computer.... they do this to target advertise based on client location and other info..... this information my side in carved web pages related to content or in the cache if it was not cleared and erased.
 

StanP

New Member
Mar 17, 2008
9
0
#3
Bob...Thanks for the helpful information. I have to confes that my computer skills are limited. How would I access the registry to reference the last written time of these files? What are carved web pages and how can thay be accessed? Last, how to access cache for this targeted information?

P.S. The Go.DriverClean program was downloaded and used on 11/17 -18/06. I don't believe the computer was used very much after that date.

Again, your knoelsdge would be appreciated.
 
Dec 31, 2006
3,405
0
#4
StanP said:
Bob...Thanks for the helpful information. I have to confes that my computer skills are limited. How would I access the registry to reference the last written time of these files? What are carved web pages and how can thay be accessed? Last, how to access cache for this targeted information?

P.S. The Go.DriverClean program was downloaded and used on 11/17 -18/06. I don't believe the computer was used very much after that date.

Again, your knoelsdge would be appreciated.
Stan, Before we lead you down the slippery slope, what are you hoping to accomplish? If your "computer skills are limited" this can get deep quickly, not to mention expensive with the hardware and software necessary to examine this information. There are Open Source tools available, however they are not for the faint of heart or those with limited computer skills.
 

StanP

New Member
Mar 17, 2008
9
0
#5
Here is the sordid story. My daughter is divorcing. Her husband is a serial purveyor of adult sites. He admitted this to her and said she couldn't prove it.
The internet activity is on the computer in her possession. He left the house in May 2006. Recently, she ran the program TotalRecall to research this history and establish the adult site access times, times when he still occupied the house. What she found was that all the access times were altered to 11/17-18/06 (about 3500 entries). About 500-600 of the visits were to adult sites, the remaining were normal sites. She also discovered that a program Go.CleanDrive was downloaded and run on 11/17/06. She suspects that he entered the house and installed this program when she was out.
This divorce is a civil matter and she is looking for leverage in the proceedings. He is a doctor and this would be embarassing. This is leverage for an out of trial settlement. And that is the story.
 
Dec 31, 2006
3,405
0
#6
At this point, unfortunately, the mucking around your daughter has done on the evidence will probably nullify any value the information would have had. There may be a chance that a professional examiner could salvage some value, however opposing council would probably tear apart or more likely move to exclude the evidence.

Electronic evidence is really little different than physical evidence. As an example, imagine your daughter had found adult magazine subscriptions in the house subsequent to the separation. Further, she called the magazine company and made changes to the subscription. Finding the magazines and calling a Private Detective would be one thing, once she made a change to the evidence of the subscription (by calling the company) she would have diminished the value of the evidence. Same thing here. If she would have stopped when she found the original images and called in an investigator, a timeline could probably been established. As it is she has been on the computer, opening files, looking around and in essence changing the evidence.

As I said it may be worth calling a professional, but depending on what has been done to the computer so far it may be for naught.
 

RobertR

New Member
Jun 3, 2007
447
0
#7
Yes..... As the other have said....at this point the problems are great and the need to do a somewhat complex exam to potentially recover data of limited value is what you are left with......

Ask yourself what the true value is of the exam, you would need a competent examiner that would have to do a pretty convoluted exam..... I think the value is not there as the difficulties may be great.. It is hard to say without looking, you may be bale to find something of value maybe not...... If you really want to pursue it find a competent examiner and have them look at it and evaluate it.....

you are at that point...... it probably gonna cost so evaluate your needs and options ...... But if its that important, and make monetary sense, then it make sense to hire a professional who knows what they are doing.
 

Warlockz

New Member
Mar 30, 2009
12
0
#8
I know this is a very late reply, but to answer your question logicly, if you say he used a privacy software to cover his trax on the machine he was using to access these sites, the key doesnt lie on the machine itsself anymore!

You must contact your Internet Service Provider, and ask them for a log of the sites that were visited, most if not all ISPs retain data about the online activities for up to 6 months, some even retain logs for as long as a year, this will give you a complete log of all sites visited and all files downloaded when the accused suspect was online!
 

RobertR

New Member
Jun 3, 2007
447
0
#9
Excellent point Warlockz...

The caveat being...if it is in a home lan or something similar doing NAT you will only have the information of every computer on that lan and where it went..... for example, I have several computer in my home for the rest of the family..... The ISP logs would show information for every computers activity as to and from the single IP address my router had at that date and time.... so you are back to looking at individual machines for artifacts.

logically from here you can see that if there was an open access point, or potential for a compromised one, you still need to address the potential defense by looking for artifacts on the individual machine.
 

Complete

Administrator
Aug 19, 2006
861
0
#10
ISPs will retain logs of assigned IP addresses, but I have always been assured (by the larger ones anyway) that they do not retain a listing of sites visited. This would be a huge privacy nightmare, a storage nightmare due to the large volume of data, and it is simply not needed for the normal course of business.
 

About us

  • Our community began in 2004. Since this time, we have grown to have over 29,000+ members within the DFIR & Cyber Security community.

    We are happy to announce that this forum is now under new ownership with the goal to once again become the main Digital Forensics Forum on the internet for DFIR, OSINT and Cyber Security.

    If you can think of ways to help us improve, please let us know.

    We pride ourselves on offering unbiased, critical discussion among people of all different backgrounds.

    We are working every day to make sure our community is one of the best.

Quick Navigation

User Menu