PaulDotCom mailing list archives

Anti-forensic tools

From: irongeek at irongeek.com (Adrian Crenshaw)
Date: Wed, 1 Jul 2009 16:48:42 -0400

Thanks. So, am I right in assuming if the following scenario happens, some
remnant data will be left in free space?:

1. File is written to the drive.
2. Defrag happens, moves parts of the file around.
3. File is wiped with all zeros.
4. A data carving tool can still get the data from where it was before the
defrag.

I'm also wondering, if I use a VM ran from an encrypted volume, how much
stuff might show up in the page file/swap space.

Thanks,
Adrian
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090701/2546d7cc/attachment.htm

Current thread:

Anti-forensic tools Xander Solis (Jul 01)
- <Possible follow-ups>
- Anti-forensic tools Ali Emirlioglu (Jul 01)
  - Anti-forensic tools iamnowonmai (Jul 01)
    - Anti-forensic tools d4ncingd4n at gmail.com (Jul 01)
    - Anti-forensic tools Adrian Crenshaw (Jul 01)
- Anti-forensic tools Chris Merkel (Jul 01)
- Anti-forensic tools Jim Halfpenny (Jul 01)
- Anti-forensic tools Jody & Jennifer McCluggage (Jul 01)
  - Anti-forensic tools Joel Folkerts (Jul 01)
    - Anti-forensic tools Adrian Crenshaw (Jul 01)
- Anti-forensic tools Mad Marv (Jul 01)
- Anti-forensic tools Cody Ray (Jul 01)
- Anti-forensic tools Chris Merkel (Jul 01)
  - Anti-forensic tools Adrian Crenshaw (Jul 02)
    - Anti-forensic tools Dimitrios Kapsalis (Jul 02)
    - Anti-forensic tools Adrian Crenshaw (Jul 02)
    - Anti-forensic tools Joshua Wright (Jul 02)
    - Anti-forensic tools Adrian Crenshaw (Jul 02)
    - Anti-forensic tools Jim Halfpenny (Jul 02)
    - Anti-forensic tools Grymoire (Jul 02)

(Thread continues...)