System Optimizers

System Optimizers

Are police truthful about system optimizers? Generally, no.

WIP

From what I can see there hasn’t been any law enforcement agency testing of tools such as CCleaner in relation to cases involving such tools. By testing, I do not refer to the presentation by investigators of when an application may be launched or used, for example. That is reading logs. I refer to sitting down and performing tests to determine how these applications each function, to what degree they function, and what specifically are the capabilities in relation to a given case. The advertisements or branding of a tool/product is just that, words, not results.

Instead, police arguments seem to rely heavily on the word of the investigator. Most commonly claimed is if any tool which has any ability to delete anything is present then that must be proof enough for criminal activity. Or, if an investigation doesn’t affirm an officer’s allegation of criminal activity, then any usage is blamed as a, pun-intended, “Cop-Out”. While it’s true that people may try to hide evidence of a crime, the police usage of these tools as an umbrella to dismiss every flawed investigation is dishonest. Refer to [[junk-sciences]].

More simply, the truth is closer to the following. While no test can encompass everything, test and find out. Generally, running a tool such as CCleaner on an active system will not magically make all the inculpatory evidence vanish. Some things will be removed of course, but I’ve not yet read a case where evidence wasn’t still recovered. There are ways to destroy electronic data if needed. But, those typically involve more than someone downloading and running a system optimizer like CCleaner, Glary, Bleachbit, etc as these are not considered adequate.

Some testing done by others (including Magnet Forensics, which sells Magnet Axiom and is used by law enforcement wordwide):

• https://www.magnetforensics.com/resources/oh-no-the-suspect-ran-ccleaner-to-get-rid-of-the-evidence/
• https://www.synacktiv.com/en/publications/ccleaner-forensics.html
• https://blog.korelogic.com/blog/2015/05/18/what_did_ccleaner_wipe
• https://cheeky4n6monkey.blogspot.com/2012/02/writing-ccleaner-regripper-plugin-part.html

It needs to be noted somewhere that like all creations of mankind, system optimizers are imperfect at best.

• https://techcrunch.com/2017/09/18/avast-reckons-ccleaner-malware-infected-2-27m-users/

Anti-Forensics in Reality

There are plenty examples where such “anti-forensic” software has been discussed such as CCleaner, virtual machines, encryption, and all manner of “anti-forensics,” Ad Nauseam. Some examples include US v. Zacherle, Court of Appeals, 9th Circuit 2017. Another is Commonwealth v. COATES. Another is U.S. v. WAGUESPACK. Another is State v. Wilkerson. Another is United States v. DILLINGHAM No. 1:17-cr-184-AJT and so on. Especially for a person with access to paid legal research resource, it isn’t difficult to find a pattern countering what police and prosecutors proclaim. Evidence is regularly found regardless of “cleaning, wiping, deleting, hiding,” and every other adjective one wishes to insert.

Below is an example of how wide spread the usage of tools such as CCleaner are. To wit, part of a court’s reply on the matter.

“TLS has regularly framed CCleaner as devilish "anti-forensic software," whose installation necessarily proves bad faith. See, e.g., TLS’s Reply in Support of Motion for Default at 1-3, Docket No. 162. If that is true, this Court is in trouble, as it has CCleaner on its own computer. Of course, TLS’s framing is incorrect. Many businesses use that tool for entirely reasonable purposes. *See generally In re Abell, No. 13-13847-TJC,2016 WL 1556024*; Lundemo Deposition at 11-12. Defendant’s particular use of CCleaner proves their bad faith, not their mere installation of the software.”

In the above, the bad faith is due to using tools such as CCleaner after being told to preserve information.

~ See TLS Mgmt. & Mktg. Servs., LLC v. Mardis Fin. Servs., Inc .

U.S. v. Dillingham 2018, references multiple cleaning tools involved in the case and regards the Daubert standard. It was put upon the prosecution that they had not met the standard when arguing the usage of such “anti-forensic” tools. The court touches on fallacies regarding the usage of such tools and debunks each in turn in short order. One particular mention is that despite the usage, intent, or design of the tools, it was clear the tools did not function as the government claimed as “this cleaning software appears to have had no effect on a vast amount of forensic data that was recovered.” Sound familiar? It should.

The prosecution did not provide information on specifically what the alleged “anti-forensic” software can and cannot do. The prosecution did not perform any testing of said software. The prosecution needed to provide more than a generic inference or speculative opinion that such tools are a catch-all answer to why some evidence wasn’t found. See U.S. v. Dillingham 2018. The arguments concerning what is a good enough explanation were not tackled in Dillingham, but it should be more fruitful an explanation than the bare minimum; simply saying a tool changes data or leaves behind a 0 should not be enough.

The presence of such tools or their end product cannot form the basis for an inferential leap that evidence of crime existed. Simply that, because a cop opines there “should be data” that alone should be enough to infer that evidence existed, and such evidence must therefore also be evidence of guilt. Much like in Dillingham, the court was not impressed.