Proj 18: Shadow Copies and CCleaner (20 pts.)

What You Need

A Windows 7, 8, or 10 machine, real or virtual. You cannot use any Server version of Windows, because none of them have Restore points.

Purpose

To see how evidence can be recovered from Shadow Copies even if a suspect has used CCleaner to delete it.

Creating Evidence

Open Internet Explorer type this URL into the address bar, at the top of the window:

27bslash6.com

Press Enter to open the page.

Note: Make sure you type in the URL directly, and do not use a search engine to find the page.

Scroll down and find the "Please design a logo for me" story, as shown below:

Right-click on the photo of the man there and click "Save picture as...""

Save the picture on your desktop with its default filename, which is "photo_simon_graphs".

Close Internet Explorer.

On your Desktop, double-click photo_simon_graphs.

The photo opens in your default image viewer. When I did it, it opened in Internet Explorer.

Close the viewer window.

Examining Registry Evidence: TypedURLs

Click Start. In the Search box, type REGEDIT. Press Enter.

If a "User Account Control" box pops up, click Yes.

In Registry Editor, navigate to this key:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs
You should see a url of http://www.27bslash6.com/, as shown below:

Examining Registry Evidence: UserAssist

In Registry Editor, navigate to this key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
Expand the first numbered subkey, and click on the Count subkey in the left pane.

Hunt through the entries in the right pane, until you find a Name ending in vrkcyber.rkr

Highlight that name, as shown below.

"vrkcyber.rkr" is the ROT-13 obfuscated text "iexplore.exe", as you can verify at

http://rot13.com/index.php

This registry value is another artifact showing that you opened Internet Explorer.

Capturing a Screen Image

Make sure vrkcyber.rkr is highlighted, as shown above.

Click on the host system's taskbar, at the bottom of the screen.

Press the PrntScrn key to capture the whole desktop. Open Paint and paste in the image.

Save the image as "Proj 18a from YOUR NAME".

YOU MUST SEND IN A WHOLE-DESKTOP IMAGE FOR FULL CREDIT

Closing Registry Editor

Close Registry Editor.

Creating a Restore Point

Windows creates restore points periodically, generally every week, or every time you install updates or new software.

Instead of waiting a week, we'll create a restore point manually.

Click Start. In the Search box, type RESTORE

In the search results, click "Create a restore point", as shown below.

A "System Properties" box pops up. Click Create.

In the "System Protection" box, type a name of

YOURNAME Before CCleaner
as shown below.

Note the time when you made your restore point. You'll need it later.

In the "System Protection" box, click Create.

A box pops up saying "The restore point was created successfully".

Click Close.

In the "System Properties" box, click OK.

Downloading and Installing CCleaner

Open a Web browser and go to

http://www.piriform.com/ccleaner

Click the green Download button.

Scroll down and click the leftmost green Download button to get the free version.

Run the installer. Install the software.

When you see the screen below, Google will attempt to install spyware on your machine. I recommend clearing both check boxes, although it doesn't really matter for this project. It's worth noticing, however, how far Google has moved from their old motto "Do No Evil", which they abandoned when they incorporated.

Running CCleaner

When the installation finishes, CCleaner opens, as shown below.

Click the "Run Cleaner" button.

A box pops up saying "This process will permanently delete files from your system", as shown below.

That is a very interesting claim, and we shall see to what extent it is true. CCleaner does delete some files, but it doesn't get all the evidence left behind.

In the box, click OK.

In a few seconds, CCleaner says "CLEANING COMPLETE", as shown below.

Capturing a Screen Image

Make sure the "CLEANING COMPLETE message is visible, as shown above.

Click on the host system's taskbar, at the bottom of the screen.

Press the PrntScrn key to capture the whole desktop. Open Paint and paste in the image.

Save the image as "Proj 18b from YOUR NAME".

YOU MUST SEND IN A WHOLE-DESKTOP IMAGE FOR FULL CREDIT

Examining Registry Evidence: TypedURLs

Click Start. In the Search box, type REGEDIT. Press Enter.

If a "User Account Control" box pops up, click Yes.

In Registry Editor, navigate to this key:

HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\TypedURLs
The TypedURLs key is totally gone! The keys remaining include TabbedBrowsing, Toolbar, and URLSearchHooks, in alphabetical order, as shown below:

Examining Registry Evidence: UserAssist

In Registry Editor, navigate to this key:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist
Expand the first numbered subkey, and click on the Count subkey in the left pane.

Hunt through the entries in the right pane, until you find a Name ending in vrkcyber.rkr as shown below. CCleaner did not erase it!

Downloading and Installing ShadowExplorer

In a Web browser, go to

http://www.shadowexplorer.com/downloads.html

In the "Downloads" section, under the "Latest Version:" heading, click "ShadowExplorer0.9 Installer (exe)", as shown below:

Install the software with the default options.

Using ShadowExplorer

After the installation, ShadowExplorer opens.

At the top left, select C: and the time at which you made your restore point, as shown below.

Navigate to your profile folder, which is like this, replacing "student" with your username:

C:\Users\student
Find the ntuser.dat file in your profile folder and click it to highlight it, as shown above.

Capturing a Screen Image

Make sure ntuser.dat is highlighted, as shown above.

Click on the host system's taskbar, at the bottom of the screen.

Press the PrntScrn key to capture the whole desktop. Open Paint and paste in the image.

Save the image as "Proj 18c from YOUR NAME".

YOU MUST SEND IN A WHOLE-DESKTOP IMAGE FOR FULL CREDIT

Exporting Ntuser.dat

In ShadowExplorer, right-click ntuser.dat and click Export...

Click Desktop, and click OK.

The file is placed on your desktop, but it is probably invisible because it's a hidden system file.

Installing FTK Registry Viewer

You probably have this installed already from a previous project, but if you don't, do this:
Open a Web browser and go to

http://accessdata.com

On the upper right of the page, point to SUPPORT. Click "Product Downloads".

In the "Current Releases" section, expand the "Registry Viewer" section. On the "Registry Viewer 1.7.4" line, click Download.

Download and install the software with the default options.

Viewing the Old Ntuser.dat File with Registry Viewer

Open Registry Viewer. Click No to run in Demo mode. Click OK.

In Registry Viewer, click File, Open.

Navigate to your desktop.

The Ntuser.dat file is not visible. However, just type its name into the Filename box anyway, as shown below:

In the Open box, click Open.

Examining Shadow Copy Registry Evidence: TypedURLs

In Registry Viewer, navigate to this key:
ntuser.dat\Software\Microsoft\Internet Explorer\TypedURLs
The TypedURLs key is present in this file, because it's a backup made by the Shadow Copy service before CCleaner was used.

Find the url http://www.27bslash6.com/ and highlight it, as shown below:

Capturing a Screen Image

Make sure http://www.27bslash6.com/ is highlighted, as shown above.

Click on the host system's taskbar, at the bottom of the screen.

Press the PrntScrn key to capture the whole desktop. Open Paint and paste in the image.

Save the image as "Proj 18d from YOUR NAME".

YOU MUST SEND IN A WHOLE-DESKTOP IMAGE FOR FULL CREDIT

Turning in Your Project

Send the images to cnit.121@gmail.com with a subject of "Proj 18 from YOUR NAME".


Last revised: 11-22-16