JFlanigan Posted July 5, 2013 Share Posted July 5, 2013 (edited) XXXXXXXXXXXXXXXXXXXXXXXX identifies some areas where CCleaner needs to look into. Some evidence of a TOR installation that was deleted before running CCleaner. C:\Windows\Prefetch\START TOR BROWSER.EXE-F5557FAC.pf C:\Windows\Prefetch\TBB-FIREFOX.EXE-350502C5.pf C:\Windows\Prefetch\TOR-BROWSER-2.3.25-6_EN-US.EX-1354A499.pf C:\Windows\Prefetch\TOR.EXE-D7159D93.pf C:\Windows\Prefetch\VIDALIA.EXE-5167E0BC.pf The thumbcaches identified in the article were all clear. I have not checked all of the files mentioned in the article. I am using v4.00.4064 Edited July 5, 2013 by DennisD Link to comment Share on other sites More sharing options...
Moderators DennisD Posted July 5, 2013 Moderators Share Posted July 5, 2013 Hi jFlanigan, and welcome to the forum. I would be happy for you to link to a legitimate website containing the article you mention, but we can't allow links to direct downloads for obvious reasons. Especially from a non regular member, and I don't mean that to be personal. I've therefore removed the direct download link. Link to comment Share on other sites More sharing options...
JFlanigan Posted July 5, 2013 Author Share Posted July 5, 2013 Hi Dennis. No problem and I apologize for violating any forum rule on my first visit. Why do you consider that site not to be legitimate? Its software provides secure and anonymous communication and is highly regarded. See Wikipedia for more information. My objective was not to make it appear that you or Piriform endorsed the product. The document enlightened me to the fact that there is residual information in the pre-fetch directory that CCleaner should detect and remove. Best Regards, John Link to comment Share on other sites More sharing options...
Moderators Augeas Posted July 5, 2013 Moderators Share Posted July 5, 2013 Yes, Prefectch contains entries for the TOR browser bundle, which is portable, and other portable programs as well as programs run under Sandboxie, for instance. I guess CC doesn't touch current entries as prefetch is a valid part of the operating system. CC will delete old entries (14 days plus), or if you're really worried you could switch off prefetch for user programs. As has been said many times before CC is not a forensic evidence cleaner. Link to comment Share on other sites More sharing options...
Moderators DennisD Posted July 6, 2013 Moderators Share Posted July 6, 2013 Hi Dennis. Why do you consider that site not to be legitimate? Its software provides secure and anonymous communication and is highly regarded. See Wikipedia for more information. Best Regards, John My apologies, you misunderstand my meaning John. I didn't open the PDF in your link, and there's nothing in your post to indicate which site the article came from. I simply meant you can provide a link to any legitimate website in your post, and I've no reason to doubt that the one you refer to is a legitimate one. We can get new members, and spammers sadly, who provide links to some unusual places, hence the need to mention "legitimate". By all means, supply us with the link to the site containing the article, and I hope that clears up the misunderstanding. Link to comment Share on other sites More sharing options...
JFlanigan Posted July 7, 2013 Author Share Posted July 7, 2013 Dennis and Augeas, Here is the link we have been speaking of. https: // research(dot)torproject(dot)org/techreports/tbb-forensic-analysis-2013-06-28.pdf Thanks for your good responses. Regards, John Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now