[Pauldotcom] Anti-forensic tools

Mad Marv marv at madmarvonline.com
Wed Jul 1 20:31:02 UTC 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

re: #2.  I've been using Eraser (http://www.heidi.ie/node/6) for wiping
external hard drives via USB.  It will also selectively overwrite files
/ folders / free disk space.  I used to schedule Eraser to wipe unused
disk space but that is just a hassle.  Truecrypt full disk encryption is
much more convenient.

Marv

Adrian Crenshaw wrote:
> Hi all,
>      I'm planing another class for the local ISSA (and hope to get some
> Infragard and OWASP folks there). The topic this time is Anti-forensics.
> I plan to cover a few categories of tools:
> 
> 0. Show simple tools to see what's been going on
> Places files are stored
> effect of hibernate and page file
> defrag issues (I assume this can leave remnants behind in slack space of
> files that defrag moved, so if ta defrag happened just before you wipe a
> file you may not really get all of the data)
> Filecarving with Photorec http://www.cgsecurity.org/wiki/PhotoRec
> 
> 1. Selective track covering tools
> CCleaner  http://www.ccleaner.com/
> CleanAfterMe http://nirsoft.net/utils/clean_after_me.html
> 
> 2. Delete f***ing everything!!!/Nuke it from orbit, it's the only way to
> be sure
> Secure Erase http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml (Scott
> Moulton told me this uses built in ATA commands to wipe even bad sectors)
> DBAN http://www.dban.org/
> 
> 3. Encryption
>  Truecrypt
> 
> 4. System configs/don't leave traks in the first place
> Wipe swap file on shutdown
> Browsers and incognito mode
> Portable apps/VMs from encrypted volumes (does anyone know how much of
> the Host OS's swap is used by VMWare and the like?)
> 
> 
> Any more ideas? Any better "Selective track covering tools" then the
> ones I mentioned in section 1?
> 
> Thanks,
> Adrian
> 
> 
> ------------------------------------------------------------------------
> 
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom at mail.pauldotcom.com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFKS8eGkOgHKNOb0dERAg8WAKCO1dGyzRfOWD4GeHo+bxiVTsFyuwCaAzDd
/kkSwT+TAd7R2buKqbKUkqE=
=Z3Bv
-----END PGP SIGNATURE-----

More information about the Pauldotcom mailing list