What Did CCleaner Wipe? | 2015-05-18 15:35 |
The use of CCleaner is encountered at times during forensic investigations of computer systems. It has been labeled an "anti-forensics" tool as it has a secure deletion mode where it can overwrite data, filenames, and free space.
Overwriting files and filenames removes the chance to recover the data and subject it to further analyses; hence, the anti-forensics label. There may be some remnants and data left for analysis and comparison; but, at best you can infer what had been wiped. What you are faced with is a case of "You don't know what you don't know".
That is, until now. CCleaner will actually tell you what files it wiped. You just have to work for it.
CCleaner is a system optimization software package developed and distributed by Piriform. A free version is available for download and use. Piriform describes the capabilities of CCleaner as follows:
"CCleaner is our system optimization, privacy and cleaning tool. It removes unused files from your system - allowing Windows to run faster and freeing up valuable hard disk space. It also cleans traces of your online activities such as your Internet history. Additionally it contains a fully featured registry cleaner. But the best part is that it's fast (normally taking less than a second to run) and contains NO Spyware or Adware!
CCleaner does have a few artifacts that may be uncovered. The character patterns of overwriting; registry values for the configuration settings; as well as the data still resident in pagefile, volume shadows, and hibernation files after its use have been reported on sites such as:
- http://www.magnetforensics.com/oh-no-the-suspect-ran-ccleaner-to-get-rid-of-the-evidence
- http://cheeky4n6monkey.blogspot.com/2012/02/writing-ccleaner-regripper-plugin-part.html
- http://hackingexposedcomputerforensicsblog.blogspot.com/2013/09/daily-blog-99-sunday-funday-92913-winner.html
CCleaner, in what Piriform refers to as "secure file deletion" mode, overwrites a file's content with other characters. There are multiple options available in this mode with each option increasing the number of times a file is overwritten. Even the "simple overwrite" option consisting of one pass over the data is enough to frustrate recovery of the original data.
Filenames are overwritten as well. On an NTFS formatted drive, the filename records in the Master File Table are replaced with the letter "Z". For example, a file named "TEST.TXT" will have each character in the name overwritten with the letter Z and will be renamed to "ZZZZ.ZZZ" after the process is completed.
CCleaner, even on its most aggressive settings, will possibly leave some information in the pagefile, volume shadows, and hibernation files on a system. A forensics examiner could recover Internet History as well as other remnants from these areas as they have not been overwritten by CCleaner.
When trying to gather information on data overwritten by CCleaner, files resident in volume shadows will allow you to infer what may have been overwritten. The same is true for files and filenames located in pagefiles and hibernation files. The registry entries for CCleaner's configuration settings will indicate the types of files and some locations of files that will be affected, but does not directly tell you the names of the files, much less their content. The difficulty is in establishing a link between the data you believe CCleaner overwrote and the data actually overwritten by the program.
For example, in a recent case filenames and file paths recovered from a hibernation file showed a few thousand filenames referenced that were no longer resident on the system. Fortunately, the system had gone into hibernation shortly before the wiping so the timing was good, allowing for a comparison of filenames found in the hibernation file to filenames active on the system.
The configuration settings for CCleaner allowed one to infer that many of these files were potentially files wiped by CCleaner. However, deletion in the normal course of events for the system, such as when the Internet cache size has been exceeded, could not be entirely excluded.
To try to address the question of what CCleaner wiped, testing was performed on a clean system to observe and monitor how CCleaner operates. This testing uncovered an artifact of what appears to be how CCleaner handles the overwriting of filenames on a system. As stated previously, CCleaner will overwrite letters in a filename with the letter "Z". In the process of performing this task, CCleaner writes out the filename it intends to replace multiple times, followed by the same filename lengths, this time consisting of all Z's.
For example, as CCleaner was executing, the filename "TEST.TXT" was seen being written out to disk a few times, followed by the pattern "ZZZZ.ZZZ". The other filenames being overwritten were handled in the same fashion. A forensic image of the system was taken after the execution of CCleaner had completed and was searched for the pattern noticed in testing. A match of this pattern was found in the unallocated space of the hard drive.
The search results looked like this:
TEST.TXT
TEST.TXT
TEST.TXT
ZZZZ.ZZZ
ZZZZ.ZZZ
ZZZZ.ZZZ
TEST1.TXT
TEST1.TXT
TEST1.TXT
ZZZZZ.ZZZ
ZZZZZ.ZZZ
ZZZZZ.ZZZ
And so forth…
In order to ensure that the monitoring programs did not affect this finding, the same test was run again on a clean system without the monitoring tools in place. Once again, the pattern was located in the unallocated portion of the hard drive. Even after varying settings for CCleaner, positive findings for this pattern were located on the hard drive. Only when the free space overwriting option was selected did most of the artifacts go away. Some items were still found in the pagefile; however, these were quite few compared to the amount previously located.
The real test took place when a search for this pattern was conducted on the hard drive in the case mentioned previously. Success!
Positive hits were found on the drive and were quite extensive. In fact, of the few thousand filenames referenced in the hibernation file that were no longer resident on the system, over 80% matching filenames were located and associated with these CCleaner artifacts.
So, we had positive correlation of roughly 80% of the unique filenames found in the hibernation file impacted by CCleaner running on the system.
Once a filename is located, even if the original file is overwritten, it is still possible to gather more information regarding that file. Remnants and even whole copies of files may be located once a filename is identified. If you have a filename, searches for that name will turn up interesting and informative results.
In this case, finding this artifact in CCleaner led to the identification of multiple key elements. In every case since this one involving CCleaner, this pattern has allowed the correlation of at least some information about files that were wiped. Unfortunately, this search will not allow one to completely locate all of the filenames of files that were overwritten, or necessarily lead to recovering their data.
More information, including our timeline of attempts to contact the vendor, available in the advisory we published.
To quote the Rolling Stones song from the "Let It Bleed" album:
"You can't always get what you want. But if you try sometime, you find, you get what you need."
0 comments | Posted by Don at: 15:35 permalink |
Comments are closed for this story.