I have used CCleaner for years and it is one of the first programs I put on new computers. It has handy functions to clean up temporary files, logs, and even the Registry. While many can argue that such a program may help erase digital evidence, it can also shed light on where to look for important items of interest.
CCleaner used to store settings in the Registry, but has now opted to use an .INI file to assist in application portability. This is a great asset to forensic examiners who like to research new artifacts. The default installation has the necessary .INI files embedded within the executable, but they are usually available for download in this support thread (forum registration required). Lifehacker recently posted an article about the enhanced version of the application .INI file which can be downloaded towards the bottom of the article.
Here are two entries from the application .INI file:
[*LimeWire] LangSecRef=3022 DetectFile=%ProgramFiles%\LimeWire\LimeWire.exe Default=True FileKey1=%userprofile%\Incomplete|*.*|RECURSE FileKey2=%userprofile%\Application Data\LimeWire|fileurns.cache FileKey3=%userprofile%\Application Data\LimeWire|createtimes.cache FileKey4=%userprofile%\Application Data\LimeWire|responses.cache FileKey5=%userprofile%\Application Data\LimeWire|ttree.cache FileKey6=%userprofile%\Application Data\LimeWire|gnutella.net
[Windows Media Player] ID=2033 LangSecRef=3023 Detect=HKCU\Software\Microsoft\MediaPlayer\Player Default=True RegKey1=HKCU\Software\Microsoft\MediaPlayer\Player\RecentFileList RegKey2=HKCU\Software\Microsoft\MediaPlayer\Player\RecentURLList RegKey3=HKCU\Software\Microsoft\MediaPlayer\Preferences|LastPlayList RegKey4=HKCU\Software\Microsoft\MediaPlayer\Preferences|LastPlayListIndex RegKey5=HKCU\Software\Microsoft\MediaPlayer\Player\Settings|SaveAsDir RegKey6=HKCU\Software\Microsoft\MediaPlayer\AutoComplete\MediaEdit RegKey7=HKCU\Software\Microsoft\MediaPlayer\Radio\MRUList
All of the entries within the .INI files follow similar format. CCleaner only shows options to clean those programs that it knows exist on the system by using the "Detect" key to determine if a program has been installed. The entries that follow are items that will probably be of interest to a forensic examiner. The items that are listed are what CCleaner will attempt to delete or erase and are typically log files or Most Recently Used entries.
Irongeek.com posted a similar article showcasing areas of interest that are cleaned using Nirsoft.net's CleanAfterMe tool. CleanAfterMe doesn't use an .INI file, but does create a log of items that it's cleaned. You can run the program and look at the logs to see where each cleaning option points to. There are a multitude of other evidence cleaning programs that can provide similar intel. Even if there is no .INI file or log file, you can still use something like Process Monitor to see what is actually happening when the program is ran.
In my opinion, if someone was to take CCleaner's .INI files and create a tool that does the exact opposite of CCleaner - parse each item and create an information report instead of cleaning them, they would have one heck of a triage tool.
Matt Churchill currently manages the digital forensics practice at Continuum Worldwide and has earned the GCFA, CFCE, CCE, and CISSP certifications. You can follow him on Twitter @matt_churchill.
.png "Anastasia Sentsova")
