You are browsing the archive for March 2009.
Parts of the agreement (ACTA, Anti-Counterfeiting Trade Agreement) will allow border agents and officials in airports to seize your digital equipment such as laptops, mp3 players and phones to search for copyright protected material. People who are found to be in violation can have their equipment seized and destroyed as well as a fine.
If you conduct online business under an alias such as “Mr. Green” or “Zero Cool” then using wireless networks that do not belong to you and have no connection to you is a great way to cover your tracks. You might just be a small time spammer trying to pay your rent. You could be a hacktivist preparing to deface a website. You could be many things and have numerous goals but the anonymity provided by using wireless networks that do not belong to you and have no connection to you is golden.
It seems that there are still many people who do not understand what happens when a hard drive is wiped once with a single pass. There were many comments left about my last article on other websites where people were still spreading the myth that a single pass is insufficient. So I’ve created yet another article, this time with screenshots.
Many people are under the impression that hard drives need to be wiped with multiple passes to prevent recovery of data. This is simply untrue with modern hard drives.
I’ve set up a forum for those who would like to participate in discussion on anti-computer forensics and computer forensics in general.
So you’ve installed full disk encryption using TrueCrypt. You also remembered from a previous article on here that contained in the TrueCrypt boot loader is the string “TrueCrypt Boot Loader” which is a dead giveaway to the fact that you are using encryption software. In response to this you have also performed the simple disk modification to get rid of the identifiable string with a hex editor like in this article.
Now your hard drive is free from unwanted tampering and access without your permission, right?
I’ve dug around a bit and found some older examples of software that will detect whether or not the current system is being run in a virtual environment. The main purpose here is to trip up the examiners. Make them waste their time, their clients time and everyone elses. Make the costs of a computer forensics examination even more expensive.
There have been a million articles written on using timestomp.exe. However, the goal of this article is to give some ideas on how to use timestomp and avoid leaving evidence behind that would point to its use.
What is the Trojan Defense?
You may or may not have heard of the “Trojan Defense.” Normally how this works is someone is charged with possessing child pornography, hacking NASA, sharing copyrighted material or any number of other reasons. Many of these people then claim that their computer was under “remote control” by persons unknown via [...]
In a previous post I mentioned that TrueCrypt leaves behind a string in its boot loader (that identifies it as a TrueCrypt boot loader) when using the full disk encryption feature. As you can see in the screenshot below I have modified the original “TrueCrypt Boot Loader” string to read “Windows Boot Loader.”
Recent Comments