Identifying uninstalled software using TOR (version 0.2.2.30) as an example

Most programs leave traces of information in the windows registry when it was previously run or installed on your hard drive. You can use the Create and Compare Signature function in OSForensics to search for a particular program that has been installed or previously installed.

In this tutorial, we will demonstrate how to search for the previously installed TOR Program. The procedure below documents a generalized way to identify file and registry artifacts that have been left behind as a result of applications being installed

Create a new signature of a clean Windows Virtual Machine

Step 1: Create a new virtual machine using VM Workstation. Follow the on screen wizard, select typical configuration. Create a new Windows 7 installation using either Window 7 installer disc or ISO image file. Once complete, power on the virtual machine which you have just created.

Step 2: Complete the Windows Update and then turn off the Window Automatic Update function. This is an important step before we start creating a new signature otherwise windows update will continuously run in the background. Install OSForensics and then download and install the Mozilla Firefox browser. Reboot the virtual machine.

Step 3: Create a new file signature of the clean Windows virtual machine, name this file "new_file.OSFsig".

New file signature

Step 4: Add the Registry Key options and remove the directory C:. Enable the Calculate SHA1 Hashes option. Create a new Registry signature of the clean Windows Virtual Machine, name this file "new_reg.OSFsig".

File signature options

Create a signature of the Windows Virtual Machine with the Program installed

Step 5: Download the TOR program from the website http://www.torproject.org and install in the Windows Virtual Machine. Reboot the Virtual Machine again. Run TOR and make sure that FireFox is configured successfully.

Run TOR

Verify TOR is running

Step 6: Create another File signature of the Windows Virtual Machine with the program installed, name this file "install_file.OSFsig".

Step 7: Create another Registry signature of the Windows Virtual Machines with the program installed, name this file "install_reg.OSFsig". Note: You need to turn on the hash set feature.

Create a signature of Windows Virtual Machine with the Program uninstalled

Step 8: Go to Control Panel and uninstall Tor from the Virtual Machine.

Uninstall TOR

Step 9: Create another new File signature of the Windows Virtual Machines with the program uninstalled, name this file "uninstall_file.OSFsig".

Step 10: Create another new Registry signature of the Windows Virtual Machines with the program uninstalled, name this file "uninstall_reg.OSFsig". Note: You need to turn on the hash set feature.

Comparison of Signatures

Step 11: Compare the signatures of the "new_file.OSFsig"and "install_file.OSFsig" and "new_reg.OSFsig"and "install_reg.OSFsig". Look for specific program file difference and registry key differences.

Compare Signature

Step 12: Compare the signatures the "new_file.OSFsig"and "uninstall_file.OSFsig" and "new_reg.OSFsig"and "uninstall_reg.OSFsig". Look for specific program file difference and registry key differences.

In the below example, we will search for the keyword "TOR" and "Vidalia" to identify traces of the installed and previously installed TOR program in the registry

Search Registry TOR

Search Register Vidalia

Results of the keyword search "TOR" and "Vidalia" to identify traces of the installed and previously installed TOR program in the file comparison.

Compare Signature File 2

Compare Signature File 1

However be aware that if the program was run from a live CD or USB drive, which Tor does support, it will not leave traces like the examples above.

Recent Activity

Program installations can also be detected by using the recent activity fucntion in OSForensics. The event number 11707 is generated in the system event log when a program is installed, this will be displayed in the recent activity scan of OSForensics. To watch a video tutorial on using the recent activitiy functions in OSForensics see here.