As a forensic analyst, observing the use of cleanup software can often cause real difficulties. Designed to clean up unused files and protect a user’s privacy, tools like CCleaner, Bleachbit or Wise Disk Cleaner will remove or alter various files which may contain artefacts (i.e. files or data sources which may contain remnants of events that occurred on the system) of a user’s actions on the system. However, since these tools can make changes to system files which are regularly used in a forensic examination, it can also be used as an anti forensic tool by a user wishing to cover their tracks.
We recently encountered a system during an investigation into a malicious insider where the user had run CCleaner in an attempt to sanitise it before returning it to their employer. As a result, we wanted to determine the possibilities for recovering data after running CCleaner on a Windows 10 system. To test this, we created a Windows 10 Professional virtual machine (VM) and performed basic user actions such as:
The degree of CCleaner's impact on the filesystem is determined by options that are specified by the user before its execution. By default, CCleaner has only a handful of these options enabled. Our focus was on this untouched ‘default’ state, and a ‘maximum’ state whereby all possible options were enabled. The actions specified above left several common forensic artefacts; we then ran CCleaner in both states to assess the impact that this had on their availability.
We focused on forensic artefacts that are commonly relied on when investigating a Windows system, and analysed how these were affected by CCleaner when run in its default and maximum states.
During testing, we used a Windows 10 Professional virtual machine and CCleaner version 5.49.6856 64-bit running in VMWare Workstation 14. Based on our experience, the following artefacts are particularly useful to test, because they offer a large amount of data relevant to most digital forensic investigations:
The following steps were taken to generate test data:
Windows registry NTUSER.dat and UsrClass.dat hives contain configuration settings for each user profile on the system and contain a wealth of data which can be parsed to establish a user’s activity. In these hives we can establish the user’s most recent documents opened, folders accessed using Windows Explorer, URLs typed and application settings.
This presents a useful starting place when analysing a system which has been affected by CCleaner. Parsing NTUSER.dat with a tool such as RegRipper allows the analyst to determine which CCleaner settings were used as an indicator of which artefacts likely remain. RegRipper contains a plugin for this specific purpose, however, by checking the values of keys at HKCU\Software\Piriform\CCleaner, the settings that CCleaner was last run with can be inferred manually. This should not be considered hard evidence however, as theoretically, a user could perform a cleaning operation and then change the CCleaner settings, abusing the fact that only the last settings used reside in this registry hive.
In our testing, the UsrClass.dat registry hive was unaffected by running CCleaner with either default or maximum settings. The NTUSER.dat hive was also unaffected, with the exception of UserAssist, when it was explicitly chosen to be deleted, in CCleaner’s maximum settings. UserAssist is of particular value when attempting to prove a user visited certain folders using Explorer.
Additionally, no changes were noted in any of the system level registry hives.
By default, events are recorded by Windows and stored in log files, with System and Security event logs typically being of high forensic value. At the time of writing, there are no supported methods to delete individual entries in the event logs when a complete log file is deleted, and event ID 1102 or 104 is generated, both indicating that a log has been cleared. However, a tool has been released into the public domain which allows individual event log entries to be unlinked, causing them to remain on disk but not be shown when viewing a log file.
When CCleaner was run with default settings, there was no impact to the System and Security event logs. However, as one of its advanced options, CCleaner has the capacity to clear event logs. Therefore, when run under its maximum settings, both of these logs were cleared, removing almost all forensic value. It may be possible to recover these logs in free and unused sector space at the end of a file (slack space).
Depending on the system type and configuration, it may be possible to recover older versions of these logs from memory dumps, the hibernation file (hiberfile.sys), volume shadow copies or centralised logging systems.
There are several artefacts which can be used as evidence of execution in Windows. The Amcache, Shimcache (AppCompatCache) and prefetch files can all be used to prove if an executable has been run and, sometimes, when and how many times it was run. Evidence of execution is often crucial in investigations where malware is involved to establish a timeline of events.
In our testing, Amcache, Shimcache and prefetch were all unaffected by running CCleaner in both default and maximum settings. This leaves the analyst a significant body of data to establish a timeline of execution, including the execution of CCleaner itself, despite a suspect's anti forensic efforts.
Thumbnails are a small scale preview of a file, for example, a small picture for a photo. Similarly to Jump lists, the cache in which these thumbnails are stored can be opened by an analyst and provide useful evidence of a file that was saved to disk, potentially even after its deletion. CCleaner removed all useful information from these files in both its default and maximum settings.
A highly useful artefact of user activity is WebCacheV01.dat, which contains all browsing history, cookies and download history associated with the Microsoft Edge web browser. Interestingly, despite CCleaner indicating it had wiped Edge browsing history in our test scenario, some evidence of browsing history remained and some was removed from this file. When run using maximum settings, this information is removed, however, data of web browsing can be found elsewhere on disk.
The free space on the drive, which was run under a default CCleaner execution, was littered with URLs that have been visited; although this information cannot be reliably found, it provides strong evidence of browsing activity.
To simulate a user deleting a file and trying to use CCleaner to cover their tracks, we created two simple files full of repetitive text, file ‘A’ and file ‘B’, and sent them to the recycling bin; file B was subsequently removed from the recycling bin.
After using CCleaner with its default settings, files A and B were clearly visible in the free space of the volume. This was expected, as free space is not affected by CCleaner using default settings. Under its maximum settings, CCleaner wipes free disk space. Following the clean, no contents of either file A or B was found in existing files or free space.
There were, however, remnants of file B’s contents found in slack space. Typically, when a computer saves a file, it is placed in a sector of a fixed size on the hard disk. The disk space in that sector that is not used by the file’s data is called slack space. In this case, file B once occupied the entire sector. After its thorough deletion by the user, the sector was assigned to another new file of a smaller size; the remainder of the sector not filled by the new file is slack space, and is therefore occupied by the historic data of file B. The contents of slack space is highly variable and cannot be relied on for consistent retrieval of deleted files. Despite this variability, these findings highlight the fact that information that could be vital to a forensic investigation can persist despite concentrated efforts to remove it.
When interacting with the taskbar, a user is presented with an option of quick access to files that they have recently accessed using that application. These options are called jump lists and their information is stored in multiple files on disk. Jump lists can be a valuable source of information to demonstrate which files were recently accessed by the user and when.
In our testing, jump list files were modified by both the default and maximum setting configurations of CCleaner. When analysing jump lists connected to our created test files A and B in their raw format, both of their file names were still visible. Upon loading them into a jump list viewer, these file names were not visible. In their raw format, it is clear that the Jump list files have have been both edited and truncated by CCleaner, which may explain the incompatibility with the jump list viewer. It may, however, be possible to recover jump list files from unallocated space or file slack freespace since they have a predictable file structure.
Fig 1. Demonstrates jump list file truncation before (left) and after (right) running CCleaner.
Fig 2. Demonstrates mid file modifications in hexadecimal before (left) and after (right) running CCleaner.
Cleanup tools such as CCleaner do have a significant impact on the data available to a forensic examiner. However, as shown in our findings - on jump lists and slack space in particular - it doesn’t mean that an investigation is a lost cause. Several useful artefacts are untouched even with maximum CCleaner settings applied and remnant data can sometimes be found in slack space, unallocated space and alternative sources such as the hibernation file. These remnants could still lead an examiner to findings which could significantly aid an investigation.
Cyber Threat Detection Engineering, Senior Analyst, PwC United Kingdom
Tel: +44 (0)7483 400205
Threat Detection & Incident Response, PwC United Kingdom
Tel: +44 (0)7850 908299