[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: Torpark writes to system temp folder
I can also confirm that in all cases that I have run on the new
torpark, there are files that are created and erased when the program
closes. This happens when you use a thumb drive or a folder on the
Impeding further research into what exactly is causing this
though, is the fact that PortableApps.com seems to be having web page
problems. given though, that the temporary files are erased upon
closure, I think that the security risk is minimal for the moment. it
appears that when the program closes, it cleans up after it self, and
in the process leaves one file behind.
the file, called <ExecDos.dll> is 6k in size consistently. I checked
out what I could with a hex editor and couldn't find anything that
changed from file to file in the six different times I examined it.
each time I peered at it was after putting Torpark through its paces,
eg: navigating the net. So I don't personally think that there is any
session information stored in the file.
For a better opinion on this file you will probably have to
ask John or Steve.
There won't be much evidence to go on unless you are caught in
the act, at which point there will be better evidence than a small
hard to notice file buried in the computer.
so there you have it, alot of words not to say much about anything.
On 2/24/06, Jan Reister <Jan.Reister@xxxxxxxx> wrote:
> On 24/02/2006 04:22, Matt Thorne wrote:
> > I beleive, although I am not certain, that this is because the
> > temporary folder is relative to the base drive letter that the torpark
> > folder rests in. so you are probably correct in that it is because you
> > aren't using a thumbdrive.
> > I will attempt to confirm this and get back to the group.
> I quickly ran Torpark from a USB thumbdrive, on Win XP Pro SP2.
> I see new files and directories created in
> C:\Document and Settings\username\Local settings\Temp
> To me, it looks like a gif, 4 dll, a folder and a TMP, but this may not
> be forensically sound information since I'm using the default Windows
> file browser and had no opportunity to run my usual tools.
> On Torpark quit, TMP file is removed. On Torpark restart, a new folder
> with identical contents (dlls, gif) and a TMP is created.
> To me, it looks like it is possible to determine if someone used Torpark
> on a pc by looking at this files. As for obtaining other information
> abut the Torpark session, I am skeptical.