PaulDotCom mailing list archives
Anti-forensic tools
From: joel.folkerts at gmail.com (Joel Folkerts)
Date: Wed, 1 Jul 2009 14:38:18 -0500
Adrian, I think you're off to an excellent start - I think it'd worth noting that there are a ton of "privacy" tools out there (Windows Washer is the first that comes to mind) - they really should not be relied on as anti-forensics. While they do a decent job of erasing user activity in plain site, they tend to be noisy and leave a lot of indicators of their use. I would lean towards limited use of the built-in privacy safeguards such as Chrome's icognito's ability or FireFox's Private Browsing features. The thing that really tends to screw with my forensic exams is altering MAC times that makes timeline analysis tricky check out Time Stomp - out http://www.metasploit.com/research/projects/antiforensics/. A lot of my exams revolve around a specific time period and if this is altered, you're relying on other methods that aren't as accessible or reliable. Also - be careful of defrag / file slack. While this was a major issue in FAT-based file systems, it's not as applicable to NTFS due to the different methods of allocating disk space. Good luck! -Joel "The path to hell is paved with good intentions." On Wed, Jul 1, 2009 at 10:53 AM, Jody & Jennifer McCluggage < j2mccluggage at adelphia.net> wrote:
Hello, In the same vein as CCCleaner, there was a really nice free tool out there called ?IE Privacy Keeper? (it also worked with Firefox despite the title) that could be configured to securely and automatically clear common browser residue such as index.dat, cookies, browsing history, etc. It could also be configured to clean other Windows system files on shut down such as temporary files, run history, clipboard, recycle bin, Office document history, etc. You could even set it up to delete directories and registry keys of your choice. Unfortunately this tool has not been updated for awhile (last update was 2005) but it still appears to work with the newer browser versions and Windows OSs. I don?t know how it would hold up against a professional forensic analysis, but it was useful if sharing a computer with multiple persons and you wanted to prevent them from snooping. Also on the encryption side, you might want to mention the option of using Bitlocker for full volume encryption for supported Vista and 7 systems (Ultimate and Enterprise) and Encrypted File System (EFS) for individual directory and file encryption. Of course when dealing with any encryption, good key management needs to be emphasized (such as backing up BitLocker keys to Active Directory and using an EFS recovery agent in a domain setting ? or backing up the EFS key if not part of a Domain). Jody ------------------------------ *From:* pauldotcom-bounces at mail.pauldotcom.com [mailto: pauldotcom-bounces at mail.pauldotcom.com] *On Behalf Of *Adrian Crenshaw *Sent:* Tuesday, June 30, 2009 9:14 PM *To:* PaulDotCom Security Weekly Mailing List *Subject:* [Pauldotcom] Anti-forensic tools Hi all, I'm planing another class for the local ISSA (and hope to get some Infragard and OWASP folks there). The topic this time is Anti-forensics. I plan to cover a few categories of tools: 0. Show simple tools to see what's been going on Places files are stored effect of hibernate and page file defrag issues (I assume this can leave remnants behind in slack space of files that defrag moved, so if ta defrag happened just before you wipe a file you may not really get all of the data) Filecarving with Photorec http://www.cgsecurity.org/wiki/PhotoRec 1. Selective track covering tools CCleaner http://www.ccleaner.com/ CleanAfterMe http://nirsoft.net/utils/clean_after_me.html 2. Delete f***ing everything!!!/Nuke it from orbit, it's the only way to be sure Secure Erase http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml (Scott Moulton told me this uses built in ATA commands to wipe even bad sectors) DBAN http://www.dban.org/ 3. Encryption Truecrypt 4. System configs/don't leave traks in the first place Wipe swap file on shutdown Browsers and incognito mode Portable apps/VMs from encrypted volumes (does anyone know how much of the Host OS's swap is used by VMWare and the like?) Any more ideas? Any better "Selective track covering tools" then the ones I mentioned in section 1? Thanks, Adrian Checked by AVG - www.avg.com Version: 8.5.375 / Virus Database: 270.13.1/2212 - Release Date: 07/01/09 05:53:00 _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090701/90261a6c/attachment.htm
Current thread:
- Anti-forensic tools Xander Solis (Jul 01)
- <Possible follow-ups>
- Anti-forensic tools Ali Emirlioglu (Jul 01)
- Anti-forensic tools iamnowonmai (Jul 01)
- Anti-forensic tools d4ncingd4n at gmail.com (Jul 01)
- Anti-forensic tools Adrian Crenshaw (Jul 01)
- Anti-forensic tools iamnowonmai (Jul 01)
- Anti-forensic tools Chris Merkel (Jul 01)
- Anti-forensic tools Jim Halfpenny (Jul 01)
- Anti-forensic tools Jody & Jennifer McCluggage (Jul 01)
- Anti-forensic tools Joel Folkerts (Jul 01)
- Anti-forensic tools Adrian Crenshaw (Jul 01)
- Anti-forensic tools Joel Folkerts (Jul 01)
- Anti-forensic tools Mad Marv (Jul 01)
- Anti-forensic tools Cody Ray (Jul 01)
- Anti-forensic tools Chris Merkel (Jul 01)
- Anti-forensic tools Adrian Crenshaw (Jul 02)
- Anti-forensic tools Dimitrios Kapsalis (Jul 02)
- Anti-forensic tools Adrian Crenshaw (Jul 02)
- Anti-forensic tools Joshua Wright (Jul 02)
- Anti-forensic tools Adrian Crenshaw (Jul 02)
- Anti-forensic tools Jim Halfpenny (Jul 02)
- Anti-forensic tools Adrian Crenshaw (Jul 02)