“Oh no, the suspect ran CCleaner to get rid of the evidence!”

[rgb]

From the tests run by Magnet forensics using Internet Evidence Finder, it appears that CCleaner could do a better job of cleaning PCs. CC is certainly a good tool, but I'm just suggesting that further effort could be made to improve the cleaning.

 

The article I refer to is worth reading for what CC may not clean, and may never be able to clean, such as RAM, pagefiles, and hibernation files.

 

The article concludes with:

"The point of this post is to illustrate that the potential benefits of running a search for Internet related artifacts is well worth the effort, even when you fear they may have been ‘sanitized’."

 

-------

 

I tried posting a link to the website that did the tests, but Piriform.com does not allow a link to the site. Unfortunate, since readers here should be able to read unbiased reviews of Ccleaner and similar software to be able to understand their limitations. To find the article you can use the topic title.

[Winapp2.ini]

I'm sorry?

 

Did you run CCleaner with secure overwrite enabled? It's an option!

[Andavari]

The only sure way of completely destroying data on a hard disk is to... ....completely destroy the hard disk!

 

However, this has already been discussed to death, and surely does NOT deserve yet another topic about it.

 

Another example (you can easily search for more yourself):

http://forum.pirifor...showtopic=37073

[rgb]

The only sure way of completely destroying data on a hard disk is to... ....completely destroy the hard disk!

 

However, this has already been discussed to death, and surely does NOT deserve yet another topic about it.

 

Well, your first sentence is a cop-out. The point of CCleaner and similar products is to get rid of as much as possible. The real question is which product in this class does the best job, and further to know what types of files are not going to be cleaned by which product, and which types can not be cleaned by any product (at the moment).

 

Wondering why Piriform blocks the Magnet Forensics website. Does it have anything to do with the post I referred to above, the title of my first post? Because it has detailed results from what CCleaner removed and what was left after. Maybe other posts on this topic do not have such detailed info, such as which files and types of files were cleaned. I'll try posting a modified link to it (replace the middle 3 dots after www with magnetforensics):

http://www.....com/o...f-the-evidence/

 

It's worth noting that the website staff chose CCleaner only as an example; you might even say it should make Piriform pleased that it's product was chosen.

[mta]

I always wonder why people even bother with all these forensic track covering exercises.

If you are that worried about someone discovering whatever it is you are trying to hide and use disk cleansing software, and trust it, then you will be in for a nasty surprise when the black van with Flowers by Irene livery parks outside your door.

The ONLY way to guarantee no data recovery is to physically destroy the HD, as @Andavari states.

 

I for one would not trust CC to remove 'evidence' (as in the title).

 

I would have thought CC's main function is to clean up space (crap cleaner to reminisce on the original name). Surely that is how most users would hear about and use, the product.

[hazelnut]

So Piriform blocks the posting of this site?

 

http://www.magnetfor...f-the-evidence/

 

It would be an idea to get things into perspective here rgb. CCleaner is not a ''let's get rid of all info before NSA arrives'' piece of software.

 

This area of the forum is for support with bugs and issues regarding CCleaner and not really for the discussion of evidence elimination.

 

You seem quite clued up and will I am sure know of ways to achieve this. For the vast majority of CCleaner users the software suites their needs.

 

(It may be worth your while informing that website about the CCleaner 24hour rules)

[login123]

Well, your first sentence is a cop-out. The point of CCleaner and similar products is to get rid of as much as possible. . . .

The point of CCleaner seems to be safe removal of unecessary clutter, not to get rid of as much as possible.

For most folks, that is a good approach.

A cleaner that is too agressive can trash your OS in a blink.

 

Edit: @ mta: Fwiw, around here they use Sypher & Sons Plumbing and Heating on those vans. Your TV goes all wavy when they pull up.

[Andavari]

Well, your first sentence is a cop-out.

 

If it's physically destroyed beyond recovery (with fire for instance) there's nothing to recover.

[Alan_B]

So Piriform blocks the posting of this site?

 

http://www.magnetfor...f-the-evidence/

It does not block it for me

 

The article concludes foolish rubbish.

This example should be a clear example and illustration of how important the collection of RAM can be regardless of the type of investigation. It is also a good demonstration showing the importance of searching for Internet-related artifacts even when you may find evidence of ‘sanitation’ tools being used by the suspect. There are several other freely available ‘sanitation’ tools available, each with different varying results. The point of this post is to illustrate that the potential benefits of running a search for Internet related artifacts is well worth the effort, even when you fear they may have been ‘sanitized’.

Windows 7 is happy running with a Pagefile of only 16 MegaBytes and no Bootfile (I have better uses for my SSD),

and I believe I would not notice any shut-down hesitation if I configured Windows to clear it on shut-down.

[mta]

This area of the forum is for support with bugs and issues regarding CCleaner and not really for the discussion of evidence elimination.

 

any chance this can be moved to the Lounge as we seem to be off topic anyway and it would give leeway to stay that way and continue this discussion.

[Andavari]

any chance this can be moved to the Lounge as we seem to be off topic

 

Done.

[mta]

If it's physically destroyed beyond recovery (with fire for instance) there's nothing to recover.

 

for those who read that and thought it was a bit excessive....

 

i used to work for Dept of Defence, next to us were JIO and when their DASD drive platters failed the only approved method of forensic cleaning was a guy would angle grind the disk surface, then break it up with a hammer, then incinerate the pieces.

 

now that is taking care of business !

[rgb]

My first post of the this topic included use of an url shortener for the full url http://www.magnetfor...f-the-evidence/ : http://.../1brkG7S. It may be that Piriform in fact does not allow use of url shorteners or maybe just bit.ly. When I tried posting this current post I also got the message

 

 

An error occurred

 

 

You have entered a link to a website that the administrator does not allow links to

 

 

and I had to change the bit.ly url above (add bit.ly where the 3 dots are).

 

I assumed that url shorteners would be allowed, as they are on most websites, and that the Magnet Forensics site was the problem.

[Andavari]

It may be that Piriform in fact does not allow use of url shorteners or maybe just bit.ly.

 

It could also be the IPB forum software being picky which I know will sometimes make a mess of some URLs making them non-working/invalid and I've ran into it numerous times. One way around it is using the

 option in a post, which may allow those URLs to posted but they won't be clickable.

[login123]

. . . One way around it is using the code option in a post, which may allow those URLs to posted but they won't be clickable.

Link in post 4 won't work. It and the second link in post 13 are just malformed.

http://www.....com/oh-no-the-suspect-ran-ccleaner-to-get-rid-of-the-evidence/

Link in post 6 does work.

http://www.magnetforensics.com/oh-no-the-suspect-ran-ccleaner-to-get-rid-of-the-evidence/

 

In addition to what Andavari said, you can use the "Preview Post" feature to see what the post will look like and if the links are working.

 

On the main issue, even if one succeeds in erasing all his tracks on his computer, there are still enough tracks out there on the net to find him.

Personally I like it that way. I'm glad that terrorists, porn mongers and tax evaders can't hide. Especially the tax evaders, cause I have to pay mine, and I can pretty much ignore those other two groups.

 

There. If that doesn't start a barfight an enlightened discussion nothing will.

[Andavari]

Link in post 4 won't work. It and the second link in post 13 are just malformed.

http://www.....com/oh-no-the-suspect-ran-ccleaner-to-get-rid-of-the-evidence/

 

That's what it's done to me many times.

[login123]

Never had it happen here. Is that some part of the forum software or some sort of 3rd party url shortener?

[hazelnut]

login123 the link in post #4 you have to replace the dots (apologies if you already saw this)

 

replace the middle 3 dots after www with magnetforensics

[login123]

Thanks, Hazelnut. I had seen that, but wondered how the url got messed up to start with.

Just read about bitly, is that what did it?

[hazelnut]

Quite a few websites don't allow Bit.ly links or other modified links, I know that I personally don't like them. They were first used on Twitter.

 

I always give plain links then folk can see where I am sending them.