Anti-forensic tools

[joel.folkerts at gmail.com (Joel Folkerts)]

Adrian,

 I think you're off to an excellent start - I think it'd worth noting that
there are a ton of "privacy" tools out there (Windows Washer is the first
that comes to mind) - they really should not be relied on as anti-forensics.
While they do a decent job of erasing user activity in plain site, they tend
to be noisy and leave a lot of indicators of their use. I would lean towards
limited use of the built-in privacy safeguards such as Chrome's icognito's
ability or FireFox's Private Browsing features.

 The thing that really tends to screw with my forensic exams is altering MAC
times that makes timeline analysis tricky check out Time Stomp - out
http://www.metasploit.com/research/projects/antiforensics/. A lot of my
exams revolve around a specific time period and if this is altered, you're
relying on other methods that aren't as accessible or reliable. Also - be
careful of defrag / file slack. While this was a major issue in FAT-based
file systems, it's not as applicable to NTFS due to the different methods of
allocating disk space. Good luck!

-Joel


"The path to hell is paved with good intentions."


On Wed, Jul 1, 2009 at 10:53 AM, Jody & Jennifer McCluggage <
j2mccluggage at adelphia.net> wrote:

>  Hello,
>
>
>
> In the same vein as CCCleaner, there was a really nice free tool out there
> called ?IE Privacy Keeper? (it also worked with Firefox despite the title)
> that could be configured to securely and automatically clear common browser
> residue such as index.dat, cookies, browsing history, etc.  It could also be
> configured to clean other Windows system files on shut down such as
> temporary files, run history, clipboard, recycle bin, Office document
> history, etc.  You could even set it up to delete directories and registry
> keys of your choice.  Unfortunately this tool has not been updated for
> awhile (last update was 2005) but it still appears to work with the newer
> browser versions and Windows OSs.   I don?t know how it would hold up
> against a professional forensic analysis, but it was useful if sharing a
> computer with multiple persons and you wanted to prevent them from snooping.
>
>
>
> Also on the encryption side, you might want to mention the option of using
> Bitlocker for full volume encryption for supported Vista and 7 systems
> (Ultimate and Enterprise) and Encrypted File System (EFS) for individual
> directory and file encryption.  Of course when dealing with any encryption,
> good key management needs to be emphasized (such as backing up BitLocker
> keys to Active Directory and using an EFS recovery agent in a domain setting
> ? or backing up the EFS key if not part of a Domain).
>
>
>
>
>
> Jody
>  ------------------------------
>
> *From:* pauldotcom-bounces at mail.pauldotcom.com [mailto:
> pauldotcom-bounces at mail.pauldotcom.com] *On Behalf Of *Adrian Crenshaw
> *Sent:* Tuesday, June 30, 2009 9:14 PM
> *To:* PaulDotCom Security Weekly Mailing List
> *Subject:* [Pauldotcom] Anti-forensic tools
>
>
>
> Hi all,
>      I'm planing another class for the local ISSA (and hope to get some
> Infragard and OWASP folks there). The topic this time is Anti-forensics. I
> plan to cover a few categories of tools:
>
> 0. Show simple tools to see what's been going on
> Places files are stored
> effect of hibernate and page file
> defrag issues (I assume this can leave remnants behind in slack space of
> files that defrag moved, so if ta defrag happened just before you wipe a
> file you may not really get all of the data)
> Filecarving with Photorec http://www.cgsecurity.org/wiki/PhotoRec
>
> 1. Selective track covering tools
> CCleaner  http://www.ccleaner.com/
> CleanAfterMe http://nirsoft.net/utils/clean_after_me.html
>
> 2. Delete f***ing everything!!!/Nuke it from orbit, it's the only way to be
> sure
> Secure Erase http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml (Scott
> Moulton told me this uses built in ATA commands to wipe even bad sectors)
> DBAN http://www.dban.org/
>
> 3. Encryption
>  Truecrypt
>
> 4. System configs/don't leave traks in the first place
> Wipe swap file on shutdown
> Browsers and incognito mode
> Portable apps/VMs from encrypted volumes (does anyone know how much of the
> Host OS's swap is used by VMWare and the like?)
>
>
> Any more ideas? Any better "Selective track covering tools" then the ones I
> mentioned in section 1?
>
> Thanks,
> Adrian
>
> Checked by AVG - www.avg.com
> Version: 8.5.375 / Virus Database: 270.13.1/2212 - Release Date: 07/01/09
> 05:53:00
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090701/90261a6c/attachment.htm