Forensic Artifacts of Eraser – part 1

Like many of you in the DFIR community, I often run into the use of anti-forensic tools in cases I am working on.  The tools run the gamut of simple, free, data cleaning utilities – to the $29 tool the person purchased after searching Google for “how do I wipe data from a device so it is unrecoverable” (all of which I can typically show having happened laugh ) – to powerful tools like Eraser.  Granted, Eraser is open source software, but its capabilities are light years ahead of other free cleaning and wiping utilities.  And, in the hands of even a mildly sophisticated user, it does a very good job at deleting data, wiping or replacing its contents, and hiding what it did.

I have not found much available out there describing artifacts related to its usage, so I figured I do a bit or research to improve my own knowledge and share it.  I've found the best way to retain something is to write about it.

Methodology

  • I created a new virtual host in my copy of VMware Workstation.  The host is running the most recent version of a 64-bit version of Windows 10 operating system.  Windows 10 is becoming more predominant, at least in my investigations, so I skipped over Windows 7.
  • I disabled all of the privacy settings, just to minimize what the OS was trying to do in the background.  Cuts down on the chatter during analysis.
  • I did not deliberately install any of the Windows 10 updates. However, the OS does search for updates during installation if you have a network connection.  It also does this in the background after installation.  So, a few updates did get applied.  
  • I enabled the Windows features for .NET 3.5.  Eraser uses .NET and I wanted to ensure it had an older version available as well as the most recent installed with the OS.
  • I installed the most recent version of Firefox – mostly because I hate Edge.  It was used solely for downloads of other tools.
  • I downloaded a copy of RegShot to allow me to take snapshots of registry changes and changes to the root of the virtual machine drive that were taking place during the installation, configuration, and usage of Eraser.
  • I downloaded a copy of Process Explorer to examine process changes taking place during the installation, configuration, and usage of Eraser.
  • I downloaded a copy of Magnet RAM Capture to image memory to analyze changes taking place during the installation, configuration, and usage of Eraser.
  • I used Volatility to examine memory images.
  • I used virtual machine snapshots and Plaso for timeline analysis of activity occurring on the host during the installation, configuration, and usage of Eraser.
  • I used the most recent version of Eraser, which at the time of writing was 6.2.0.2979.  The installation of Eraser is very straightforward so I will not document it here.  Just a few things to keep in mind:

– The installation process will try to install .NET, and fail.  Just close the related .NET window and the install will continue.
 – At the end of the installation process, I did not allow the application to launch.  I did this because I want to understand exactly when registry entries and program folders are created.

Background

So, what is Eraser?  According to its website it “is an advanced security tool for Windows which allows you to completely remove sensitive data from your hard drive by overwriting it several times with carefully selected patterns.”   It “Erases files, folders and their previously deleted counterparts. Works with an extremely customisable Scheduler.”  Among its capabilities, it can:

  • Selectively erase files, file names, and folders from the local host.
  • Selectively erase files, file names, and folders from mounted network drives. (Eraser version 6.1 and above.)
  • Erase unused disk space.
  • Erase contents of current user’s Recycle Bin.
  • Erase Internet browser cache folders.
  • Integrate with Windows Explorer.
  • Force the unlocking of files to ensure they are erased.
  • Configure source content to be used as the overwriting data.  Eraser calls this "Plausible Deniability" – instead of using random data for overwriting, typical data the user might have been working with is used, potentially giving an impression no data was erased.
  • Automatically remove Eraser tasks after successful completion.   
  • Create Eraser tasks to run manually, immediately, when Eraser starts, at system boot, and at scheduled times.

Oh, and if all that is not enough for you – and you want to go the extra mile to hide what you did with Eraser, or that you even used it, the website has a nice detailed explanation of how to remove all traces of Eraser.  


Installation Artifacts

Let’s look at the artifacts left over from the installation process of Eraser.  According to my RegShot comparison file the total number of changes made during the install was 377,006.  Yikes!  Not all of them are related to Eraser, so here are the pertinent ones:

Folders added:

  • C:\Program Files\Eraser
  • C:\Program Files\Eraser\en
  • C:\Program Files\Eraser\Plugins
  • C:\Program Files\Eraser\Plugins\en

Files added:

  • C:\Program Files\Eraser\alglibnet2.dll
  • C:\Program Files\Eraser\BevelLine.dll
  • C:\Program Files\Eraser\CommonLibrary.dll
  • C:\Program Files\Eraser\DragDropLib.dll
  • C:\Program Files\Eraser\en\Eraser.Manager.resources.dll
  • C:\Program Files\Eraser\en\Eraser.resources.dll
  • C:\Program Files\Eraser\en\Eraser.Util.Native.resources.dll
  • C:\Program Files\Eraser\en\Eraser.Util.resources.dll
  • C:\Program Files\Eraser\Eraser Documentation.pdf
  • C:\Program Files\Eraser\Eraser.exe
  • C:\Program Files\Eraser\Eraser.Manager.dll
  • C:\Program Files\Eraser\Eraser.Plugins.dll
  • C:\Program Files\Eraser\Eraser.Shell.dll
  • C:\Program Files\Eraser\Eraser.Util.dll
  • C:\Program Files\Eraser\Eraser.Util.Native.dll
  • C:\Program Files\Eraser\Microsoft.Runtime.Hosting.dll
  • C:\Program Files\Eraser\Plugins\en\Eraser.BlackBox.resources.dll
  • C:\Program Files\Eraser\Plugins\en\Eraser.DefaultPlugins.resources.dll
  • C:\Program Files\Eraser\Plugins\Eraser.BlackBox.dll
  • C:\Program Files\Eraser\Plugins\Eraser.DefaultPlugins.dll
  • C:\Program Files\Eraser\Plugins\ICSharpCode.SharpZipLib.dll
  • C:\Program Files\Eraser\Plugins\LZMA#.dll
  • C:\Program Files\Eraser\TaskDialog.dll
  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Eraser.lnk
  • C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Eraser.lnk
  • C:\Users\private\AppData\Local\Temp\dd_dotNetFx40_Full_x86_x64_decompression_log.txt
  • C:\Users\private\AppData\Local\Temp\Microsoft .NET Framework 4 Setup_20170929_074309865.html
  • C:\Users\private\AppData\Roaming\Microsoft\Windows\Recent\Install eraser.lnk
  • C:\Users\Public\Desktop\Eraser.lnk
  • C:\Windows\Installer\d9d1d.msi
  • C:\Windows\Installer\SourceHash{C5900DE9-D199-4C27-B692-354C9A6A6C8B}
  • C:\Windows\Installer\{C5900DE9-D199-4C27-B692-354C9A6A6C8B}\Eraser.exe
  • C:\Windows\Prefetch\DOTNETFX40_FULL_X86_X64.EXE-A7A844A2.pf
  • C:\Windows\Prefetch\ERASER 6.2.0.2979.EXE-05034FC9.pf
  • C:\Windows\Prefetch\SETUP.EXE-1E79F217.pf
     

Registry values added:

  • HKLM\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\Eraser\: "{BC9B776A-90D7-4476-A791-79D835F30650}"
  • HKLM\SOFTWARE\Classes\CLSID\{BC9B776A-90D7-4476-A791-79D835F30650}\: "Eraser Shell Extension"
  • HKLM\SOFTWARE\Classes\CLSID\{BC9B776A-90D7-4476-A791-79D835F30650}\InprocServer32\: ""C:\Program Files\Eraser\Eraser.Shell.dll""
  • HKLM\SOFTWARE\Classes\CLSID\{BC9B776A-90D7-4476-A791-79D835F30650}\ProgID\: "EraserShellExt.ShellExt.1"
  • HKLM\SOFTWARE\Classes\CLSID\{BC9B776A-90D7-4476-A791-79D835F30650}\VersionIndependentProgID\: "EraserShellExt.ShellExt"
  • HKLM\SOFTWARE\Classes\Directory\background\shellex\ContextMenuHandlers\Eraser\: "{BC9B776A-90D7-4476-A791-79D835F30650}"
  • HKLM\SOFTWARE\Classes\Directory\shellex\ContextMenuHandlers\Eraser\: "{BC9B776A-90D7-4476-A791-79D835F30650}"
  • HKLM\SOFTWARE\Classes\Directory\shellex\DragDropHandlers\Eraser\: "{BC9B776A-90D7-4476-A791-79D835F30650}"
  • HKLM\SOFTWARE\Classes\Drive\shellex\ContextMenuHandlers\Eraser\: "{BC9B776A-90D7-4476-A791-79D835F30650}"
  • HKLM\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\Eraser\: "{BC9B776A-90D7-4476-A791-79D835F30650}"
  • HKLM\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\Eraser\: "{BC9B776A-90D7-4476-A791-79D835F30650}"
  • HKLM\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\Eraser\: "{BC9B776A-90D7-4476-A791-79D835F30650}"
  • HKLM\SOFTWARE\Classes\Installer\Features\9ED0095C991D72C46B2953C4A9A6C6B8\EraserMain: ""
  • HKLM\SOFTWARE\Classes\Installer\Features\9ED0095C991D72C46B2953C4A9A6C6B8\EraserMainBlackBox: "EraserMain"
  • HKLM\SOFTWARE\Classes\Installer\Features\9ED0095C991D72C46B2953C4A9A6C6B8\EraserMainShell: "EraserMain"
  • HKLM\SOFTWARE\Classes\Installer\Features\9ED0095C991D72C46B2953C4A9A6C6B8\EraserLanguagesNl: "EraserLanguages"
  • HKLM\SOFTWARE\Classes\Installer\Features\9ED0095C991D72C46B2953C4A9A6C6B8\EraserLanguages: "EraserMain"
  • HKLM\SOFTWARE\Classes\Installer\Features\9ED0095C991D72C46B2953C4A9A6C6B8\EraserLanguagesIt: "EraserLanguages"
  • HKLM\SOFTWARE\Classes\Installer\Features\9ED0095C991D72C46B2953C4A9A6C6B8\EraserLanguagesPl: "EraserLanguages"
  • HKLM\SOFTWARE\Classes\Installer\Products\9ED0095C991D72C46B2953C4A9A6C6B8\ProductName: "Eraser 6.2.0.2979"
  • HKLM\SOFTWARE\Classes\Installer\Products\9ED0095C991D72C46B2953C4A9A6C6B8\ProductIcon: "C:\Windows\Installer\{C5900DE9-D199-4C27-B692-354C9A6A6C8B}\Eraser.exe"
  • HKLM\SOFTWARE\Classes\Installer\Products\9ED0095C991D72C46B2953C4A9A6C6B8\SourceList\PackageName: "Eraser (x64).msi"
  • HKLM\SOFTWARE\Classes\Installer\Products\9ED0095C991D72C46B2953C4A9A6C6B8\SourceList\LastUsedSource: "n;1;C:\Users\private\AppData\Local\Temp\eraserInstallBootstrapper\"
  • HKLM\SOFTWARE\Classes\Installer\Products\9ED0095C991D72C46B2953C4A9A6C6B8\SourceList\Net\1: "C:\Users\private\AppData\Local\Temp\eraserInstallBootstrapper\"
  • HKLM\SOFTWARE\Classes\InternetShortcut\ShellEx\ContextMenuHandlers\Eraser\: "{BC9B776A-90D7-4476-A791-79D835F30650}"
  • HKLM\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\Eraser\: "{BC9B776A-90D7-4476-A791-79D835F30650}"
  • HKLM\SOFTWARE\Classes\.ersy\: "Eraser.Ersy"
  • HKLM\SOFTWARE\Classes\Eraser.Ersy\: "Eraser 6 XML Task List"
  • HKLM\SOFTWARE\Classes\Eraser.Ersy\DefaultIcon\: "C:\Program Files\Eraser\Eraser.exe,1"
  • HKLM\SOFTWARE\Classes\Eraser.Ersy\shell\open\command\: ""C:\Program Files\Eraser\Eraser.exe" importtasklist /quiet "%1""
  • HKLM\SOFTWARE\Classes\EraserShellExt.ShellExt\: "Eraser Shell Extension"
  • HKLM\SOFTWARE\Classes\EraserShellExt.ShellExt\CLSID: "{BC9B776A-90D7-4476-A791-79D835F30650}"
  • HKLM\SOFTWARE\Classes\EraserShellExt.ShellExt\CurVer: "EraserShellExt.ShellExt.1"
  • HKLM\SOFTWARE\Classes\EraserShellExt.ShellExt.1\: "Eraser Shell Extension"
  • HKLM\SOFTWARE\Classes\EraserShellExt.ShellExt.1\CLSID: "{BC9B776A-90D7-4476-A791-79D835F30650}"
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Eraser.exe\: "C:\Program Files\Eraser\Eraser.exe"
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\Eraser\: ""
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\Eraser\Plugins\: ""
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\Eraser\Plugins\en\: ""
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Folders\C:\Program Files\Eraser\en\: ""
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\0B3729C353A7B974BBEE21AAA31B14EE\9ED0095C991D72C46B2953C4A9A6C6B8: "C:\Program Files\Eraser\Plugins\Eraser.BlackBox.dll"
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6FEB2BB517216874A90455D26D22B3F1\9ED0095C991D72C46B2953C4A9A6C6B8: "C:\Program Files\Eraser\en\Eraser.resources.dll"
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\877F02808687E2445BEB1B5A7E72CC6E\9ED0095C991D72C46B2953C4A9A6C6B8: "C:\Program Files\Eraser\Plugins\en\Eraser.BlackBox.resources.dll"
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\B82F7D9DE5F14AD4F82FF4D80C134E27\9ED0095C991D72C46B2953C4A9A6C6B8: "C:\Program Files\Eraser\Eraser.exe"
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\DB703A9344242794CB215A5F7AE686A4\9ED0095C991D72C46B2953C4A9A6C6B8: "C:\Program Files\Eraser\Plugins\Eraser.DefaultPlugins.dll"
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\DD7B2B32815CEDD42A9249AC19229B59\9ED0095C991D72C46B2953C4A9A6C6B8: "C:\Program Files\Eraser\Plugins\en\Eraser.DefaultPlugins.resources.dll"
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\E7C644C4CBCB16548B6F4D6015D653F6\9ED0095C991D72C46B2953C4A9A6C6B8: "C:\Program Files\Eraser\Eraser.Shell.dll"
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9ED0095C991D72C46B2953C4A9A6C6B8\Features\EraserMain: "Xm8$oBs(z@-.RKUr{dwLA!+PEz`y}=+)NX2}c4&-upXT6k0P[?9BhywF-hv?=n7P.-qC%ASF7,j&,?-X+Skorl$F*@hZ~fPvko[S5W(}CCJ^c@h2e2Q1wj{6('3f)giZc@F=6^fRo9h6qje8s`L-99KWPrbQg)fL$Fp7P`7!6A_Sh`pY*&-s,cC,-hEDb=+D)+My7)PE7UG'uVuZp9L`2N!JIDlT"
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9ED0095C991D72C46B2953C4A9A6C6B8\Features\EraserMainBlackBox: "qkiO7fn7$?6i7a_D,vXuls(]%}f_v9IjY9^@7.3sEraserMain"
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9ED0095C991D72C46B2953C4A9A6C6B8\Features\EraserMainShell: "NeUS@HrLA=^G_4%2I+hKEraserMain"
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9ED0095C991D72C46B2953C4A9A6C6B8\Features\EraserLanguagesNl: "W]oe]nt$+AfxDmwRU8-eh8_'k`Tz%@Fkmylqzbp7`wpN]qvzA?]{4bVTgoItEraserLanguages"
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9ED0095C991D72C46B2953C4A9A6C6B8\Features\EraserLanguages: "EraserMain"
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9ED0095C991D72C46B2953C4A9A6C6B8\Features\EraserLanguagesIt: "m4v]k*vw%AD(ZY(px]+MFEu904nJb@f(=F)G`TK(^44_Y}W6HA01a)l6.Gq9EraserLanguages"
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9ED0095C991D72C46B2953C4A9A6C6B8\Features\EraserLanguagesPl: "YP,IRf2Tr@c_(RQuFx9z[]?@)xD$_?~4!},gsMD@_`L-H3'[n=@QCz`T.N@WEraserLanguages"
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9ED0095C991D72C46B2953C4A9A6C6B8\InstallProperties\Comments: "Secure Data Removal for Windows"
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9ED0095C991D72C46B2953C4A9A6C6B8\InstallProperties\Contact: ""
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9ED0095C991D72C46B2953C4A9A6C6B8\InstallProperties\DisplayVersion: "6.2.2979"
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9ED0095C991D72C46B2953C4A9A6C6B8\InstallProperties\HelpLink: "http://eraser.heidi.ie/forum/"
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9ED0095C991D72C46B2953C4A9A6C6B8\InstallProperties\HelpTelephone: ""
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9ED0095C991D72C46B2953C4A9A6C6B8\InstallProperties\InstallDate: "20170929"
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9ED0095C991D72C46B2953C4A9A6C6B8\InstallProperties\InstallLocation: ""
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9ED0095C991D72C46B2953C4A9A6C6B8\InstallProperties\InstallSource: "C:\Users\private\AppData\Local\Temp\eraserInstallBootstrapper\"
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9ED0095C991D72C46B2953C4A9A6C6B8\InstallProperties\ModifyPath: "MsiExec.exe /I{C5900DE9-D199-4C27-B692-354C9A6A6C8B}"
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9ED0095C991D72C46B2953C4A9A6C6B8\InstallProperties\Publisher: "The Eraser Project"
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9ED0095C991D72C46B2953C4A9A6C6B8\InstallProperties\Readme: ""
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9ED0095C991D72C46B2953C4A9A6C6B8\InstallProperties\UninstallString: "MsiExec.exe /I{C5900DE9-D199-4C27-B692-354C9A6A6C8B}"
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9ED0095C991D72C46B2953C4A9A6C6B8\InstallProperties\URLInfoAbout: "http://eraser.heidi.ie/"
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9ED0095C991D72C46B2953C4A9A6C6B8\InstallProperties\URLUpdateInfo: ""
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9ED0095C991D72C46B2953C4A9A6C6B8\InstallProperties\VersionMajor: 0x00000006
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9ED0095C991D72C46B2953C4A9A6C6B8\InstallProperties\VersionMinor: 0x00000002
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9ED0095C991D72C46B2953C4A9A6C6B8\InstallProperties\WindowsInstaller: 0x00000001
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9ED0095C991D72C46B2953C4A9A6C6B8\InstallProperties\Version: 0x06020BA3
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9ED0095C991D72C46B2953C4A9A6C6B8\InstallProperties\Language: 0x00000409
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9ED0095C991D72C46B2953C4A9A6C6B8\InstallProperties\DisplayName: "Eraser 6.2.0.2979"
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\9ED0095C991D72C46B2953C4A9A6C6B8\Patches\AllPatches: ""
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Eraser: ""C:\Program Files\Eraser\Eraser.exe" -atRestart"
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\Eraser Shell Extension: "{BC9B776A-90D7-4476-A791-79D835F30650}"
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C5900DE9-D199-4C27-B692-354C9A6A6C8B}\AuthorizedCDFPrefix: ""
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C5900DE9-D199-4C27-B692-354C9A6A6C8B}\Comments: "Secure Data Removal for Windows"
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C5900DE9-D199-4C27-B692-354C9A6A6C8B}\Contact: ""
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C5900DE9-D199-4C27-B692-354C9A6A6C8B}\DisplayVersion: "6.2.2979"
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C5900DE9-D199-4C27-B692-354C9A6A6C8B}\HelpLink: "http://eraser.heidi.ie/forum/"
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C5900DE9-D199-4C27-B692-354C9A6A6C8B}\HelpTelephone: ""
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C5900DE9-D199-4C27-B692-354C9A6A6C8B}\InstallDate: "20170929"
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C5900DE9-D199-4C27-B692-354C9A6A6C8B}\InstallLocation: ""
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C5900DE9-D199-4C27-B692-354C9A6A6C8B}\InstallSource: "C:\Users\private\AppData\Local\Temp\eraserInstallBootstrapper\"
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C5900DE9-D199-4C27-B692-354C9A6A6C8B}\ModifyPath: "MsiExec.exe /I{C5900DE9-D199-4C27-B692-354C9A6A6C8B}"
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C5900DE9-D199-4C27-B692-354C9A6A6C8B}\Publisher: "The Eraser Project"
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C5900DE9-D199-4C27-B692-354C9A6A6C8B}\Readme: ""
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C5900DE9-D199-4C27-B692-354C9A6A6C8B}\UninstallString: "MsiExec.exe /I{C5900DE9-D199-4C27-B692-354C9A6A6C8B}"
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C5900DE9-D199-4C27-B692-354C9A6A6C8B}\URLInfoAbout: "http://eraser.heidi.ie/"
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C5900DE9-D199-4C27-B692-354C9A6A6C8B}\URLUpdateInfo: ""
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C5900DE9-D199-4C27-B692-354C9A6A6C8B}\VersionMajor: 0x00000006
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C5900DE9-D199-4C27-B692-354C9A6A6C8B}\VersionMinor: 0x00000002
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C5900DE9-D199-4C27-B692-354C9A6A6C8B}\WindowsInstaller: 0x00000001
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C5900DE9-D199-4C27-B692-354C9A6A6C8B}\Version: 0x06020BA3
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C5900DE9-D199-4C27-B692-354C9A6A6C8B}\Language: 0x00000409
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{C5900DE9-D199-4C27-B692-354C9A6A6C8B}\DisplayName: "Eraser 6.2.0.2979"
  • HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\C:\Program Files\Eraser\Eraser.exe: "RUNASADMIN"
  • HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\App Paths\Eraser.exe\: "C:\Program Files\Eraser\Eraser.exe"
  • HKU\S-1-5-21-2652099638-2757876314-3921783638-1001\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Users\private\Desktop\Eraser 6.2.0.2979.exe:  53 41 43 50 01 00 00 00 00 00 00 00 07 00 00 00 28 00 00 00 A8 59 7C 03 03 89 7C 03 01 00 00 00 00 00 00 00 00 00 00 0A 71 22 00 00 6A 92 0C E5 B7 BA D0 01 00 00 00 00 00 00 00 00 02 00 00 00 28 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 75 F8 01 00 00 00 00 00 01 00 00 00 01 00 00 00
  • HKU\S-1-5-21-2652099638-2757876314-3921783638-1001\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers\C:\Program Files\Eraser\Eraser.exe: "RUNASADMIN"

A few things to note here:

  • By default the install creates a directory structure under Program Files, including subdirectories related to the language the user is installing.  In this case, the English version of the software.  It would not be unusual for a user to uninstall the program, and delete these directories in an attempt to hide the program was installed.  However, forensic remnants in Windows shortcuts (.lnk), ShellBags, prefetch files, recent file history, Registry keys, files not deleted during uninstall, or other timeline evidence – might potentially be available identifying Eraser had been installed on the system.  Even if you can’t identify what was erased, this evidence, coupled with the deletion of the directories, certainly raises questions about potential wiping activity.  
  • Even savvy users may forget to delete the Windows shortcut in the Public user’s profile Desktop folder.
  • The application stores per user settings within the user’s NTUSER.DAT file.  None of this information is deleted, even if the program is uninstalled. More on this in a moment. 
  • Timeline and Registry analysis are the best methods to identify potential Eraser activity.  A lot of information about timestamp modifications to Registry keys, changes to directories and files, and other remnants remain in the timeline and provide further evidence that the application was installed at one point.

Registry settings in NTUSER.DAT

As I mentioned, Eraser stores its per user settings in a user's NTUSER.DAT file.  Let's go through each of them. 

Changes to the Eraser Registry values are made by changing settings in the application.  To do that open the application and then select Settings.

Eraser Main Page
Eraser Main Page

We have no scheduled tasks so the list is empty.

Eraser Settings Page
Eraser Settings Page

Each of the settings above correlates with a specific Registry values under HKCU\SOFTWARE\Eraser\Eraser 6\.  These are listed in the table below:

Setting Registry Value
Integrate Eraser into Windows Explorer IntegrateWithShell 1 = Enabled  0 = Disabled
Default file erasure method DefaultFileErasureMethod (see below)
Default drive erasure method DefaultDriveErasureMethod (see below)
Force locked files to be unlocked for erasure ForceUnlockLockedFiles 1 = Enabled  0 = Disabled
Replace erased files with the following files for plausable deniability

PlausableDeniability

PlausableDeniabilityFiles

1 = Enabled  0 = Disabled

Clear text list of files used (see below)

Automatically remove tasks which run immediately and complete sucessfully ClearCompletedTasks 1 = Enabled  0 = Disabled
Execute the task when eraser next starts ExecuteMissedTasksImmediatly 1 = Enabled  0 = Disabled
Erasure Method Value (DefaultFileErasureMethod or DefaultDriveErasureMethod)
Gutman (35 passes) 1407fc4e-feff-4375-b4fb-d7efbb7e9922
US DoD 5220.22-M (8-306.E, C &E) (7 passes) d1583631-702e-4dbf-a0e9-c35dba481702
RCMP TSSIT OPS-II (7 passes)  f335cc40-5de5-4733-90b1-6957b4a45688
Schneier 7 pass (7 passes) b1bfab4a-31d3-43a5-914c-e9892c78afd8
German VISTR (7 passes) 607632b2-651b-4935-883a-bdaa74febb54
US DoD 5220.22-M (8-306./E) (3 passes) ecbf4998-0b4f-445c-9a06-23627659e419
British HMG IS5 (Enhanced) (3 passes)     45671da4-9401-46e4-9c0d-89b94e89c8b5
US Air Force 5020 (3 passes) 7bf5b185-8ea5-4e12-83f1-f6c2efb3d2c2
US Army AR380-19 (3 passes) 0fe620ea-8055-4861-b5bb-bd8bdc3fd4ac
Russian GOST P50739-95 (2 passes) 92681583-f484-415f-a66c-cc210222edc5

Eraser settings with plausable deniablity files

eraser plausable deniability in Registry

The first takeaway from this post should be thisHKCU\SOFTWARE\Eraser does not exist in the Registry until the user launches the application for the first time.  Once the application is launched, it only creates this "structure":

Eraser Registry structure at first launch

If this default Registry “structure” for Eraser is there, then this is proof that someone using the account at least was aware of the application and launched it. 

None of the Registry values associated with Eraser Settngs appear under HKCU\SOFTWARE\Eraser\Eraser 6\ until  Save Settings is done.  This is true even if I change nothing and just click Save Settings. If any of the Registry values associated with Eraser Settings exist under HKCU\SOFTWARE\Eraser\Eraser 6\ this is proof that someone using the account launched the application and saved settings.  

Eraser Registry structure after settings change

The second takeaway from this post should be this – even if you can't identify what was erased, it is possible to tie a user account to potential Eraser activity on the drive. All of the information, including choices about configuration settings, are stored in these Registry values, and they are not deleted when the program is uninstalled.  Again, existence of these Registry values certainly would raise questions about potential wiping activity. 

The caveat to both takeaways is the Registry values could have been manually deleted by the user – if they followed the directions for removing all traces of Eraser from a system.  However, that deletion activity would potentially be identified by timeline analysis, or examiination of the Registry for deleted information.  And, of course, if you find other evidence that Eraser once existed on the drive, and do not find these Registry values, that can potentially be used to raise questions about wiping as well.

 So, that is the good news, in the next part we will dig into the bad news.

One Reply to “Forensic Artifacts of Eraser – part 1”

  1. And of course – 3 of the Erasure methods did not get saved in my table. They are:

    British HMG IS5 (Baseline) (1 pass) 9acdbd78-0406-4116-87e5-263e5e3b2e0d

    Pseudorandom (1 pass) bf8ba267-231a-4085-9bf9-204de65a6641

    First/Last 16kb Erasure 0c2e07bf-0207-49a3-ade8-46f9e1499c01

Feel free to post a comment (but I do moderate my comments)