mhan Posted July 18, 2014 Share Posted July 18, 2014 How to know when (that is, the date(s) or the last date) ccleaner was run on my Windows 7 computer? Is it possible to identify this information using forensic exams as well? The Windows log files are not available. Link to comment Share on other sites More sharing options...
Moderators Nergal Posted July 18, 2014 Moderators Share Posted July 18, 2014 A1 It's not possible within the software A2 because of A1 no unless modified by A3 A3 No windows logs would be created by default, though one could set up a custom log which monitors the running of ccleaner's exe ADVICE FOR USING CCleaner'S REGISTRY INTEGRITY SECTION DON'T JUST CLEAN EVERYTHING THAT'S CHECKED OFF. Do your Registry Cleaning in small bits (at the very least Check-mark by Check-mark) ALWAYS BACKUP THE ENTRY, YOU NEVER KNOW WHAT YOU'LL BREAK IF YOU DON'T. Support at https://support.ccleaner.com/s/?language=en_US Pro users file a PRIORITY SUPPORT via email support@ccleaner.com Link to comment Share on other sites More sharing options...
mhan Posted July 19, 2014 Author Share Posted July 19, 2014 Thank you. Therefore, unless there is custom log that monitors the running of ccleaner's exe was already setup on my computer, it is NOT possible to know when ccleaner was run. Is it correct? I am bit novice to this field and I am Sorry, if my question is redundant. Link to comment Share on other sites More sharing options...
Moderators Nergal Posted July 19, 2014 Moderators Share Posted July 19, 2014 As far as I am aware that is correct, however it is just an educated opinion ADVICE FOR USING CCleaner'S REGISTRY INTEGRITY SECTION DON'T JUST CLEAN EVERYTHING THAT'S CHECKED OFF. Do your Registry Cleaning in small bits (at the very least Check-mark by Check-mark) ALWAYS BACKUP THE ENTRY, YOU NEVER KNOW WHAT YOU'LL BREAK IF YOU DON'T. Support at https://support.ccleaner.com/s/?language=en_US Pro users file a PRIORITY SUPPORT via email support@ccleaner.com Link to comment Share on other sites More sharing options...
Moderators Augeas Posted July 19, 2014 Moderators Share Posted July 19, 2014 There are plenty of registry entries, even with the portable version, although I don't know if any hold the last run date. If you change any settings the ccleaner.ini file will be datestamped, if you use it. Then there's the prefetch folder, along with stuff I can't think of at the moment. I'm sure someone with enough skill and time could find out if they wanted to. But running CC is not a crime, yet. Link to comment Share on other sites More sharing options...
Alan_B Posted July 19, 2014 Share Posted July 19, 2014 I use the portable version of CC I have launched and then closed CC and CCleaner.ini was updated with a modified time-stamp of 10:22:01 Then I launched again and the time stamp only changed when I closed CC,and became 10:23:10 This shows when CC was last closed, even if it only Analyzed and did not clean. Link to comment Share on other sites More sharing options...
mhan Posted July 19, 2014 Author Share Posted July 19, 2014 Thanks for the information. In case it is possible to identify the last date of use then Another question is: is it possible to identify what actions/operations CC has done during the last cleaning? For example: whetehr it wiped a specific file (or folder) OR wiped the free space OR free space PLUS slack space OR wiped the browser history alone OR something else... Link to comment Share on other sites More sharing options...
Moderators Augeas Posted July 19, 2014 Moderators Share Posted July 19, 2014 Not really. You could look at the settings either in the registry or in ccleaner.ini; secure overwrite and wipe free space leaves the overwrite files on the disk, and files with names of ZZZZ.ZZZ.ZZZ are a bit of a giveaway. But nothing specific. Why do you ask, are you posting from the local lockup? Link to comment Share on other sites More sharing options...
mhan Posted July 19, 2014 Author Share Posted July 19, 2014 Thank you. Before providing additional info, I am not clear where to find ccleaner.ini that you mentioned. Could you help me identify its location? I received a legal notice. Once I received that notice, I am supposed to keep the information/evidence as it is (and at the same time I am permitted to use my computer for “routine operation”). In addition, I “should not allow the routine operation to thwart investigation obligations by allowing that operation (CCleaner operation) to destroy information that I am required to preserve or produce.” I wish to argue as follows: although all the boxes in “registry cleaner” option of CC are checked, I deleted/erased only specific files and that deletion operation was necessary to do my routine work. However, if the investigation reveals that I cleaned slack space, entire free space, etc. also , I wish to defend that those operations might have been performed but NOT after I received the legal notice date. Thereofre, it is very important for me on the possibility to identify the date on which specific operations (cleaning slack space, for example) were performed on my computer. Link to comment Share on other sites More sharing options...
Alan_B Posted July 19, 2014 Share Posted July 19, 2014 Surely it is NOT your responsibility to perform forensic examination to prove yourself innocent. It is entirely the responsibility of the investigators to prove both the date of notice delivery and the date at which you destroyed information. I am suggesting that this topic be locked to prevent any further implication of any forum members in legal entaglements Link to comment Share on other sites More sharing options...
Moderators hazelnut Posted July 19, 2014 Moderators Share Posted July 19, 2014 Sorry but Piriform cannot be involved in advice regarding any legal matters between a user and legal authorities. This thread will now be closed.. Support contact https://support.ccleaner.com/s/contact-form?language=en_US&form=general or support@ccleaner.com Link to comment Share on other sites More sharing options...
Recommended Posts