Recent Posts

Pages: [1] 2 3 ... 7
1
Computer Forensics and Anti-Forensics / [Ubuntu] A Few Good Programs
« Last post by KenTheFurry on September 03, 2010, 02:08:20 AM »
The attached pdf is pretty much just a list of a few awesome programs and what they do.

Also another thing I would like to get across is the thumbnails that you see of pictures in your file browser are stored in a file in your home directory...
~/.thumbnails

If you just delete them normally they will be on your hard drive easily viewable by anyone.
Don't believe me?
check it out for your self in your home folder press Ctrl+H; go into the .thumbnails folder and check it out for your self.
2
Computer Forensics and Anti-Forensics / [Ubuntu] Threats From Logs and Temp Files
« Last post by KenTheFurry on September 02, 2010, 03:33:21 PM »
This is a quick little tutorial I did for dealing with log files and temp files,
If you follow this you will create a 10G file that will act as an encrypted filesystem that on every boot will use a random key which on shutdown all files in the filesystem will be almost un-recoverable (see attacks on RAM)

The encrypted fs will me mounted at /tmp...
then we will bind /var/log and /var/tmp to /tmp so any files meant to be written to /var/log or var/tmp will be added into /tmp which is a 10G encrypted filesystem.
3
Computer Forensics and Anti-Forensics / MOVED: [Ubuntu] Encrypting Data In Place - Flash Drive
« Last post by Yar on September 01, 2010, 02:49:41 AM »
This topic has been moved to Guides and Tutorials.

http://anti-forensics.com/forum/index.php?topic=71.0
4
Guides and Tutorials / Re: [Ubuntu] Encrypting Data In Place - Flash Drive
« Last post by Yar on September 01, 2010, 02:47:28 AM »
Lol, I love this part from your tutorial because it is entirely true:

Quote
"So a forensics person takes your flash drive and
puts it into their Computer(more than likely
Windows lol) and uses a program to look for
strings or deleted files"

The "court approved" software suites, mainly EnCase and FTK are Windows based and the most popular. So there will always be that limitation to what you can use to conduct your exam if you're going to court.

I have to say I see a greater degree of examiners in the Federal Government using FTK. Such as the FBI and DoD. The IRS mainly uses ILook, which is a Mac based product. I've not used it but being a Mac based product I'm assuming it is the ultimate in point and click, automatic forensics. I could be wrong though.
5
Computer Forensics and Anti-Forensics / Re: How do I remove evidence of an occasionally-used HDD.
« Last post by Yar on August 31, 2010, 08:57:51 PM »
I don't think there is any one and quick solution like deleting the USBSTOR values for USB. What I would do is this:

  • Open regedit.exe (Start Menu -> Run -> Type in "regedit" and hit enter)
  • Next, open device manager and expand "Disk Drives" (Right click my computer -> Manage -> Device Manager)
  • With regedit, perform a search for the model number of the drive you're looking for. (get the model number from device manager)

There may be multiple references throughout the registry but many will likely be under the ControlSet keys like with USBSTOR. The disk may also be referenced by a different string other than the model number as well.

More often than not an investigation will reveal that data was being accessed from other media/partitions by reviewing Windows link files with the .lnk extension. Find these by running a search on your OS drive for "*.lnk" but the OS will create them under the "Recent" folder for each user account.

Remember, tampering with data like this can sometimes be Obstruction of Justice if you are going to be involved in any legal matters concerning your computer.
6
Computer Forensics and Anti-Forensics / How do I remove evidence of an occasionally-used HDD.
« Last post by peeping tom on August 31, 2010, 04:06:30 AM »
I have WindowsXP  sp3

I have a separate HDD which I plug into the mother board occasionally.
How do I fix the registry to remove any evidence that I have such a HDD?

For thumb drives, I can remove evidence of their use by deleting the following...
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR

Can someone tell me which registry entry I can delete to remove evidence of this HDD?
(It's a Seagate150Gb).

Desperate.
Tom

7
Computer Forensics and Anti-Forensics / [Ubuntu] Encrypt a Flash Drive
« Last post by KenTheFurry on August 26, 2010, 09:40:22 PM »
This is my tutorial for encrypting a flash drive so it does not have any known weaknesses and to go around the defaults.

YouTube: http://www.youtube.com/watch?v=T3VjcdbjMT8
8
Computer Forensics and Anti-Forensics / Re: [Ubunti] Encrypting Downloads
« Last post by KenTheFurry on August 26, 2010, 04:20:54 AM »
Here is a Video to go with this tutorial...
http://www.youtube.com/watch?v=onblmOLRHHY
9
Guides and Tutorials / Re: [Ubuntu] Encrypting Data In Place - Flash Drive
« Last post by KenTheFurry on August 26, 2010, 03:46:11 AM »
Here is a video...
http://www.youtube.com/watch?v=bkDxBYZKnYo
10
Computer Forensics and Anti-Forensics / [Ubuntu] Encrypting Downloads
« Last post by KenTheFurry on August 26, 2010, 03:31:57 AM »
This is a little tutorial for people who like to download files but do not want someone going through their HD to find pictures they downloaded or maybe videos.

All this tutorial does is show you how to create a large Data File, set it up with a loop device then encrypt that loop device with a random key then give it a file system.
The key is retrieved from /dev/urandom so when the computer is turned off the data stored will be lost.
Pages: [1] 2 3 ... 7