PaulDotCom mailing list archives
Anti-forensic tools
From: j2mccluggage at adelphia.net (Jody & Jennifer McCluggage)
Date: Wed, 1 Jul 2009 11:53:40 -0400
Hello, In the same vein as CCCleaner, there was a really nice free tool out there called "IE Privacy Keeper" (it also worked with Firefox despite the title) that could be configured to securely and automatically clear common browser residue such as index.dat, cookies, browsing history, etc. It could also be configured to clean other Windows system files on shut down such as temporary files, run history, clipboard, recycle bin, Office document history, etc. You could even set it up to delete directories and registry keys of your choice. Unfortunately this tool has not been updated for awhile (last update was 2005) but it still appears to work with the newer browser versions and Windows OSs. I don't know how it would hold up against a professional forensic analysis, but it was useful if sharing a computer with multiple persons and you wanted to prevent them from snooping. Also on the encryption side, you might want to mention the option of using Bitlocker for full volume encryption for supported Vista and 7 systems (Ultimate and Enterprise) and Encrypted File System (EFS) for individual directory and file encryption. Of course when dealing with any encryption, good key management needs to be emphasized (such as backing up BitLocker keys to Active Directory and using an EFS recovery agent in a domain setting - or backing up the EFS key if not part of a Domain). Jody _____ From: pauldotcom-bounces at mail.pauldotcom.com [mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Adrian Crenshaw Sent: Tuesday, June 30, 2009 9:14 PM To: PaulDotCom Security Weekly Mailing List Subject: [Pauldotcom] Anti-forensic tools Hi all, I'm planing another class for the local ISSA (and hope to get some Infragard and OWASP folks there). The topic this time is Anti-forensics. I plan to cover a few categories of tools: 0. Show simple tools to see what's been going on Places files are stored effect of hibernate and page file defrag issues (I assume this can leave remnants behind in slack space of files that defrag moved, so if ta defrag happened just before you wipe a file you may not really get all of the data) Filecarving with Photorec http://www.cgsecurity.org/wiki/PhotoRec 1. Selective track covering tools CCleaner http://www.ccleaner.com/ CleanAfterMe http://nirsoft.net/utils/clean_after_me.html 2. Delete f***ing everything!!!/Nuke it from orbit, it's the only way to be sure Secure Erase http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml (Scott Moulton told me this uses built in ATA commands to wipe even bad sectors) DBAN http://www.dban.org/ 3. Encryption Truecrypt 4. System configs/don't leave traks in the first place Wipe swap file on shutdown Browsers and incognito mode Portable apps/VMs from encrypted volumes (does anyone know how much of the Host OS's swap is used by VMWare and the like?) Any more ideas? Any better "Selective track covering tools" then the ones I mentioned in section 1? Thanks, Adrian Checked by AVG - www.avg.com Version: 8.5.375 / Virus Database: 270.13.1/2212 - Release Date: 07/01/09 05:53:00 -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090701/e9efde2b/attachment.htm
Current thread:
- Anti-forensic tools Xander Solis (Jul 01)
- <Possible follow-ups>
- Anti-forensic tools Ali Emirlioglu (Jul 01)
- Anti-forensic tools iamnowonmai (Jul 01)
- Anti-forensic tools d4ncingd4n at gmail.com (Jul 01)
- Anti-forensic tools Adrian Crenshaw (Jul 01)
- Anti-forensic tools iamnowonmai (Jul 01)
- Anti-forensic tools Chris Merkel (Jul 01)
- Anti-forensic tools Jim Halfpenny (Jul 01)
- Anti-forensic tools Jody & Jennifer McCluggage (Jul 01)
- Anti-forensic tools Joel Folkerts (Jul 01)
- Anti-forensic tools Adrian Crenshaw (Jul 01)
- Anti-forensic tools Joel Folkerts (Jul 01)
- Anti-forensic tools Mad Marv (Jul 01)
- Anti-forensic tools Cody Ray (Jul 01)
- Anti-forensic tools Chris Merkel (Jul 01)
- Anti-forensic tools Adrian Crenshaw (Jul 02)
- Anti-forensic tools Dimitrios Kapsalis (Jul 02)
- Anti-forensic tools Adrian Crenshaw (Jul 02)
- Anti-forensic tools Joshua Wright (Jul 02)
- Anti-forensic tools Adrian Crenshaw (Jul 02)
- Anti-forensic tools Adrian Crenshaw (Jul 02)