Anti-forensic tools

[j2mccluggage at adelphia.net (Jody & Jennifer McCluggage)]

Hello,

 

In the same vein as CCCleaner, there was a really nice free tool out there
called "IE Privacy Keeper" (it also worked with Firefox despite the title)
that could be configured to securely and automatically clear common browser
residue such as index.dat, cookies, browsing history, etc.  It could also be
configured to clean other Windows system files on shut down such as
temporary files, run history, clipboard, recycle bin, Office document
history, etc.  You could even set it up to delete directories and registry
keys of your choice.  Unfortunately this tool has not been updated for
awhile (last update was 2005) but it still appears to work with the newer
browser versions and Windows OSs.   I don't know how it would hold up
against a professional forensic analysis, but it was useful if sharing a
computer with multiple persons and you wanted to prevent them from snooping.

 

Also on the encryption side, you might want to mention the option of using
Bitlocker for full volume encryption for supported Vista and 7 systems
(Ultimate and Enterprise) and Encrypted File System (EFS) for individual
directory and file encryption.  Of course when dealing with any encryption,
good key management needs to be emphasized (such as backing up BitLocker
keys to Active Directory and using an EFS recovery agent in a domain setting
- or backing up the EFS key if not part of a Domain). 

 

 

Jody

  _____  

From: pauldotcom-bounces at mail.pauldotcom.com
[mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Adrian Crenshaw
Sent: Tuesday, June 30, 2009 9:14 PM
To: PaulDotCom Security Weekly Mailing List
Subject: [Pauldotcom] Anti-forensic tools

 

Hi all,
     I'm planing another class for the local ISSA (and hope to get some
Infragard and OWASP folks there). The topic this time is Anti-forensics. I
plan to cover a few categories of tools:

0. Show simple tools to see what's been going on
Places files are stored
effect of hibernate and page file
defrag issues (I assume this can leave remnants behind in slack space of
files that defrag moved, so if ta defrag happened just before you wipe a
file you may not really get all of the data)
Filecarving with Photorec http://www.cgsecurity.org/wiki/PhotoRec

1. Selective track covering tools
CCleaner  http://www.ccleaner.com/
CleanAfterMe http://nirsoft.net/utils/clean_after_me.html

2. Delete f***ing everything!!!/Nuke it from orbit, it's the only way to be
sure
Secure Erase http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml (Scott
Moulton told me this uses built in ATA commands to wipe even bad sectors)
DBAN http://www.dban.org/

3. Encryption
 Truecrypt

4. System configs/don't leave traks in the first place
Wipe swap file on shutdown
Browsers and incognito mode
Portable apps/VMs from encrypted volumes (does anyone know how much of the
Host OS's swap is used by VMWare and the like?)


Any more ideas? Any better "Selective track covering tools" then the ones I
mentioned in section 1?

Thanks,
Adrian

Checked by AVG - www.avg.com
Version: 8.5.375 / Virus Database: 270.13.1/2212 - Release Date: 07/01/09
05:53:00

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090701/e9efde2b/attachment.htm