Windows Hibernation and hiberfil.sys

February 1, 2010 |  by  |  Featured Articles, Hex Editing, Windows  |  , , , , ,  |  10 Comments

Did you know that by putting your computer into "hibernation" mode you are essentially creating a snapshot of the contents of your computers RAM? Learn the risks of using Windows Hibernation mode and how to disable the hiberfil.sys on a Windows system. Learn this anti-forensics technique and more.

Read More
Beat EnCase File Signature Analysis on a Windows System

EnCase - WinRAR Archives

Beat EnCase File Signature Analysis on a Windows System

September 13, 2009 |  by  |  EnCase, Hex Editing  |  , , , , ,  |  9 Comments

Use a hex editor to modify the file signature of a WinRAR archive to that of an executable file to beat the EnCase forensic software's file signature analysis.

Read More
Modify NTFS Timestamps and Cover Your Tracks With Timestomp.exe

Timestomp Being UPX'd

Modify NTFS Timestamps and Cover Your Tracks With Timestomp.exe

March 5, 2009 |  by  |  Anti-Forensics Software, Hex Editing  |  , , , , , ,  |  7 Comments

There have been a million articles written on using timestomp.exe. However, the goal of this article is to give some ideas on how to use timestomp and avoid leaving evidence behind that would point to its use.

Read More

Modify TrueCrypt Encryption Boot Loader Strings

March 1, 2009 |  by  |  Encryption, Featured Articles, Hex Editing  |  , , ,  |  17 Comments

In a previous post I mentioned that TrueCrypt leaves behind a string in its boot loader (that identifies it as a TrueCrypt boot loader) when using the full disk encryption feature. As you can see in the screenshot below I have modified the original "TrueCrypt Boot Loader" string to read "Windows Boot Loader."

Read More