« previous next »
Pages: [1]

Author Topic: What works best?  (Read 1666 times)

Offline Lemmy

  • Newbie
  • *
  • Posts: 1
    • View Profile
What works best?
« on: September 24, 2009, 02:35:36 PM »
From an anti-forensics point of view what is the best and easiest way to thwart a forensic examination? Does software like Tracks Eraser Pro, Stegano's etc really work or are there still traces that can be recoverable? Also how easy is it to crack encryption and passwords?
Logged

Offline SS

  • Newbie
  • *
  • Posts: 1
    • View Profile
Re: What works best?
« Reply #1 on: October 08, 2009, 02:40:28 PM »
Hello,
I just signed up for this seemingly interesting web-site. Regarding encryption and passwords - I encrypted my winXP that also had a few of my password protected excel files. Unfortunately, I had to re-install XP, upon receovering my data, It won't open up my protected files. After a hell lot of running around, I had to buy an application that restored my encryption certificates, restored my data and was able to open up my password protected files. So, that much for encryption on WinXP.
But from WinVISTA perspective, if the Bitlocker is on, I have heard that it is almost impossible to recover data.
Hope this helps.
Logged

Offline Maxxx

  • Administrator
  • Newbie
  • *****
  • Posts: 31
    • View Profile
    • Anti-Forensics
Re: What works best?
« Reply #2 on: November 04, 2009, 06:12:19 AM »
Hey Lemmy.

The best way to thwart your average forensics investigation that will deal with the examination of files stored on digital media in your possession (such as a hard drive) is to use full disk encryption with a complex passphrase. You don't want to just use encrypted containers or just encrypt a partition but you want to encrypt the entire hard disk. Truecrypt will do this by adding its own unencrypted boot loader to the disk it has encrypted. This is so that your OS can still be booted. If you need to encrypt a secondary hard drive, the simple option is to place an encrypted container on a partition that takes up as much of the drive as possible. Then wipe the free disk space on that drive. Use Truecrypt to mount the container when you need it.

I wrote an article on modifying the Truecrypt boot loader to get rid of the string "TrueCrypt Boot Loader" just so it's a bit harder to detect.

If you do this, there will be questions. Especially if the computer was in use recently. There may or may not be laws in your state that "require" you to give up encryption keys or passwords.

See: http://www.anti-forensics.com/modify-truecrypt-encryption-boot-loader-strings
Logged
Pages: [1]
« previous next »