Subscribe to Anti-Forensics
March 2009
You are browsing the archive for March 2009.
Obama Administration Keeping Quiet On Anti-Privacy Agreement (Anti-Counterfeiting Trade Agreement)
Parts of the agreement (ACTA, Anti-Counterfeiting Trade Agreement) will allow border agents and officials in airports to seize your digital equipment such as laptops, mp3 players and phones to search for copyright protected material. People who are found to be in violation can have their equipment seized and destroyed as well as a fine.
Conducting Your “Business” from Wireless Networks
If you conduct online business under an alias such as “Mr. Green” or “Zero Cool” then using wireless networks that do not belong to you and have no connection to you is a great way to cover your tracks. You might just be a small time spammer trying to pay your rent. You could be a hacktivist preparing to deface a website. You could be many things and have numerous goals but the anonymity provided by using wireless networks that do not belong to you and have no connection to you is golden.
Disk Wiping – One Pass is Enough – Part 2 (this time with screenshots)
It seems that there are still many people who do not understand what happens when a hard drive is wiped once with a single pass. There were many comments left about my last article on other websites where people were still spreading the myth that a single pass is insufficient. So I’ve created yet another article, this time with screenshots.
Disk Wiping – One Pass is Enough
Many people are under the impression that hard drives need to be wiped with multiple passes to prevent recovery of data. This is simply untrue with modern hard drives.
The Anti-Forensics Forum
I’ve set up a forum for those who would like to participate in discussion on anti-computer forensics and computer forensics in general.
Using Just Full Disk Encryption is Not Enough
So you’ve installed full disk encryption using TrueCrypt. You also remembered from a previous article on here that contained in the TrueCrypt boot loader is the string “TrueCrypt Boot Loader” which is a dead giveaway to the fact that you are using encryption software. In response to this you have also performed the simple disk modification to get rid of the identifiable string with a hex editor like in this article.
Now your hard drive is free from unwanted tampering and access without your permission, right?
Breaking Forensic Images Booted as a Virtual Machine
I’ve dug around a bit and found some older examples of software that will detect whether or not the current system is being run in a virtual environment. The main purpose here is to trip up the examiners. Make them waste their time, their clients time and everyone elses. Make the costs of a computer forensics examination even more expensive.
Modify NTFS Timestamps and Cover Your Tracks With Timestomp.exe
There have been a million articles written on using timestomp.exe. However, the goal of this article is to give some ideas on how to use timestomp and avoid leaving evidence behind that would point to its use.
The Trojan Defense
What is the Trojan Defense? You may or may not have heard of the “Trojan Defense.” Normally how this works is someone is charged with possessing child pornography, hacking NASA, sharing copyrighted material or any number of other reasons. Many of these people then claim that their computer was under “remote control” by persons unknown [...]
Modify TrueCrypt Encryption Boot Loader Strings
In a previous post I mentioned that TrueCrypt leaves behind a string in its boot loader (that identifies it as a TrueCrypt boot loader) when using the full disk encryption feature. As you can see in the screenshot below I have modified the original “TrueCrypt Boot Loader” string to read “Windows Boot Loader.”
Recent Comments