Home page logo

pauldotcom logo PaulDotCom mailing list archives

Anti-forensic tools
From: irongeek at irongeek.com (Adrian Crenshaw)
Date: Tue, 30 Jun 2009 21:14:23 -0400

Hi all,
     I'm planing another class for the local ISSA (and hope to get some
Infragard and OWASP folks there). The topic this time is Anti-forensics. I
plan to cover a few categories of tools:

0. Show simple tools to see what's been going on
Places files are stored
effect of hibernate and page file
defrag issues (I assume this can leave remnants behind in slack space of
files that defrag moved, so if ta defrag happened just before you wipe a
file you may not really get all of the data)
Filecarving with Photorec http://www.cgsecurity.org/wiki/PhotoRec

1. Selective track covering tools
CCleaner  http://www.ccleaner.com/
CleanAfterMe http://nirsoft.net/utils/clean_after_me.html

2. Delete f***ing everything!!!/Nuke it from orbit, it's the only way to be
Secure Erase http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml (Scott
Moulton told me this uses built in ATA commands to wipe even bad sectors)
DBAN http://www.dban.org/

3. Encryption

4. System configs/don't leave traks in the first place
Wipe swap file on shutdown
Browsers and incognito mode
Portable apps/VMs from encrypted volumes (does anyone know how much of the
Host OS's swap is used by VMWare and the like?)

Any more ideas? Any better "Selective track covering tools" then the ones I
mentioned in section 1?

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20090630/16c9bf6f/attachment.htm 

  By Date           By Thread  

Current thread:
  • Anti-forensic tools Adrian Crenshaw (Jul 01)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]