[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Torpark writes to system temp folder



On 24/02/2006 04:22, Matt Thorne wrote:
> I beleive, although I am not certain, that this is because the
> temporary folder is relative to the base drive letter that the torpark
> folder rests in. so you are probably correct in that it is because you
> aren't using a thumbdrive.
> I will attempt to confirm this and get back to the group.

I quickly ran Torpark from a USB thumbdrive, on Win XP Pro SP2.

I see new files and directories created in
C:\Document and Settings\username\Local settings\Temp

To me, it looks like a gif, 4 dll, a folder and a TMP, but this may not
be forensically sound information since I'm using the default Windows
file browser and had no opportunity to run my usual tools.

On Torpark quit, TMP  file is removed. On Torpark restart, a new folder
with identical contents (dlls, gif) and a TMP is created.

To me, it looks like it is possible to determine if someone used Torpark
on a  pc by looking at this files. As for obtaining other information
abut the Torpark session, I am skeptical.

Jan