Anti-Forensics

Most of the security practices we’ve previously will not protect you if your computer is fully unlocked and running at the time of attack. So the next thing we need to cover is anti-forensics.

Even if the majority of your files are protected in some way, an attacker with access to your computer can still gather a lot of information about you.

By looking at file creation, modification, and read times, they can get a good idea of how long it’s been running the current OS, and a list of times where you’ve been on the computer.
Logs from things like antivirus will reveal names of files and directories, even if you’ve since moved them.
Firewall logs can list websites you’ve visited or interacted with.
Uninstalled programs may still leave behind files and configuration on your computer, especially I places such as %appdata%.

The list goes on an on. Locations you’ve been to, devices you’ve plugged in, all sorts of information. My point is, you need to take care of this. The sooner the better.

So let’s get right to work. There are two things ways to do this. Preferably, we need to stop our system from recording things in the first place. If it’s never saved then there is nothing to recover. Unfortunately, sometimes that isn’t an option. Sure you can have your web browser delete everything when you close it, but even then it does touch your hard-drive. Therefore, the second option is securely erasing whatever files do manage to be saved. These aren’t really in any particular order, just follow as many as you can.

You need to disable hibernation. If someone gets a hold of the hibernation file, they can see all of the running processes inside. The easiest way to disable this is to open command prompt (as admin) and run this command. Powercfg/h off If you are on a laptop or have a WiFi adapter, make sure to “Forget” known networks, as they can be used to build a profile of places you’ve visited. An attacker does not need physical access to your device to see this information either. More on that in the upcoming WiFi article. The command for this is:

netsh wlan show profiles
netsh wlan delete profile name=* i=*

It's also a good idea to turn off WiFi scanning if you're not actively using it. You can be tracked via MAC address by leaving it on. Linux users can use macchanger to spoof their address, but windows users are out of luck. some mobile phones automatically change addresses, but not very effectively.

Next you will definitely want a tool called CCleaner. It a windows equivalent of Bleachbit. In the settings, make sure you have it set to secure deletion, then check as many of the items you feel comfortable with. This will take care of a lot of items. Things left over from your browser history and cache, windows error reports, recently opened files, etc. This tool is definitely on the must-have list. You can set it to run automatically at boot, or set it to run automatically with the paid version. It also has a tool to wipe the free space of a hard drive. If you find yourself using the secure erase feature often, you should also look at Eraser. It provides a shell extension to make things easier.

The next thing to consider is your time-stamps. Right click a file and view its properties. If you look towards the bottom you will see its MACE values. These are the time-stamps of when the file was last Modified, Accessed, Changed, and Entered into the file table. Using this information it could be proven that you had knowledge of something, or were using something at a certain time. To remove these values, you can use a tool such as Timestomp. or SetMACE.

This article is my 6th oldest. It is 644 words long, and it’s got 0 comments for now.