PaulyD Posted April 30, 2012 Share Posted April 30, 2012 I have to run Windows on a few boxes (one of them an always on server) and am looking for some anti-forensics ideas similar to what int0x80 discussed in his talk at the Louise and his bash scripts on Github. Right now I've got CCleaner, Bleachbit, Clean After Me, and USB Oblivion kicking off as scheduled tasks. Each one runs 6 hours after the other. I've also got BCWipe v5 running Transparent Wiping (any user or system delete calls go through it's driver, and receive a one pass psuedo-random wipe) and an encrypted Swap. I'd love to get a few more ideas from any Windows users...especially for attacking unknown USB devices and generating thousands of dummy files of varying sizes (encrypted). Thanks. Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted April 30, 2012 Share Posted April 30, 2012 Sounds like a lot of disk thrashing. The only reason for such measures I can think of is you have something on your drives you shouldn't. Also just letting Windows run it's regularly scheduled disk defragging and having the full disk encrypted is more than enough. Quote Link to comment Share on other sites More sharing options...
redhook Posted May 1, 2012 Share Posted May 1, 2012 Encryption is all you really need, although it will not do you much good if the system is vulnerable to attack. Firewire has direct access to RAM... Quote Link to comment Share on other sites More sharing options...
Radau Posted May 1, 2012 Share Posted May 1, 2012 Unless you're managing C.I.A. computers you really shouldn't resort to such measures, unless, like Mr. Protocol said, you plan on replacing hard drives often. Quote Link to comment Share on other sites More sharing options...
Infiltrator Posted May 1, 2012 Share Posted May 1, 2012 To me it does sound like, you are doing something illegal and you are trying to cover up your tracks. As most mentioned, encryption should be enough, just remember to set a complex password. Quote Link to comment Share on other sites More sharing options...
PaulyD Posted May 1, 2012 Author Share Posted May 1, 2012 To me it does sound like, you are doing something illegal and you are trying to cover up your tracks. As most mentioned, encryption should be enough, just remember to set a complex password. Nope, nothing illegal, just a privacy advocate. CISPA passed the US House, and it will only get worse. Full disk crypto is useless on an always on server. I've seen int0x80 post here occaisionally, so maybe he'll see this. Thanks. Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted May 1, 2012 Share Posted May 1, 2012 Nope, nothing illegal, just a privacy advocate. CISPA passed the US House, and it will only get worse. Full disk crypto is useless on an always on server. I've seen int0x80 post here occaisionally, so maybe he'll see this. Thanks. Full disk encryption + power kill switch for the server if touched/moved/opened. I am a computer forensic and data recovery major :P. I really hope int0x80 is at DerbyCon to chat it up. If they don't know about the kill switch, they will have roughly 10 minutes to react to have a chance to get your password/encryption keys via cold boot or quickly booting and dumping RAM onto USB before it dissipates. Quote Link to comment Share on other sites More sharing options...
PaulyD Posted May 2, 2012 Author Share Posted May 2, 2012 (edited) Thanks for the reply. The server has USB access for a number of things. DumpIt (among other things) could be run, unfortunately. I'd love to JB Weld all the USB ports, but can't :) DumpIt That's why int0x80's USB Attack Code was interesting. Edited May 2, 2012 by PaulyD Quote Link to comment Share on other sites More sharing options...
digip Posted May 2, 2012 Share Posted May 2, 2012 Thanks for the reply. The server has USB access for a number of things. DumpIt (among other things) could be run, unfortunately. I'd love to JB Weld all the USB ports, but can't :) DumpIt That's why int0x80's USB Attack Code was interesting. I'm curious if there is a limitation to this, such as having a pc with 16GB of ram, how that effects the tool functionality and ability to dump it all. Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted May 2, 2012 Share Posted May 2, 2012 I'm curious if there is a limitation to this, such as having a pc with 16GB of ram, how that effects the tool functionality and ability to dump it all. Some are made in 32 bit and support only 4 GB. I would assume by now there would be newer scripts/applications to break the 4 GB barrier. Quote Link to comment Share on other sites More sharing options...
int0x80 Posted May 7, 2012 Share Posted May 7, 2012 I have to run Windows on a few boxes (one of them an always on server) and am looking for some anti-forensics ideas similar to what int0x80 discussed in his talk at the Louise and his bash scripts on Github. Right now I've got CCleaner, Bleachbit, Clean After Me, and USB Oblivion kicking off as scheduled tasks. Each one runs 6 hours after the other. I've also got BCWipe v5 running Transparent Wiping (any user or system delete calls go through it's driver, and receive a one pass psuedo-random wipe) and an encrypted Swap. I'd love to get a few more ideas from any Windows users...especially for attacking unknown USB devices and generating thousands of dummy files of varying sizes (encrypted). Thanks. I haven't done much Windows anti-forensics research, in fact, you've given me some things to look up. One option you could consider is porting my scripts over and running them via cygwin or gnuwin32. If you've got FDE and you're running these wipes in cycles, you should be pretty well set. I haven't seen any Windows stuff that attacks inserted USB devices, but it would be a surprise if such software didn't already exist. Sorry to not be of much help on this one. Quote Link to comment Share on other sites More sharing options...
oxley Posted May 9, 2012 Share Posted May 9, 2012 Encryption is all you really need, although it will not do you much good if the system is vulnerable to attack. Firewire has direct access to RAM... Not a big fan of disk encryption, I saw a talk at conference on the topic of rubber hose or gitmo decryption, which is basically if you have something on your encrypted disk that I want, I may decide to take you out the back and extract the key the painful way, if you get my drift. Quote Link to comment Share on other sites More sharing options...
int0x80 Posted May 9, 2012 Share Posted May 9, 2012 When I come back into the country, I generally rsync/ssh my data onto a server state-side, then zero the drive on the laptop. That way there is no confusion regarding disk contents. For good measure I give it a little: echo -n "Just us zeroes :]" | dd of=/dev/sda seek=$RANDOM Reference (NSFW) http://pt.reddit.com/r/AskReddit/comments/ndpe1/whats_your_best_it_was_the_most_inappropriate/c38bptk Quote Link to comment Share on other sites More sharing options...
Mr-Protocol Posted May 9, 2012 Share Posted May 9, 2012 When I come back into the country, I generally rsync/ssh my data onto a server state-side, then zero the drive on the laptop. That way there is no confusion regarding disk contents. For good measure I give it a little: echo -n "Just us zeroes :]" | dd of=/dev/sda seek=$RANDOM Reference (NSFW) http://pt.reddit.com/r/AskReddit/comments/ndpe1/whats_your_best_it_was_the_most_inappropriate/c38bptk HAHAHA NICE! If I do some international travel, I will be doing that. Quote Link to comment Share on other sites More sharing options...
PaulyD Posted May 16, 2012 Author Share Posted May 16, 2012 I haven't done much Windows anti-forensics research, in fact, you've given me some things to look up. One option you could consider is porting my scripts over and running them via cygwin or gnuwin32. If you've got FDE and you're running these wipes in cycles, you should be pretty well set. I haven't seen any Windows stuff that attacks inserted USB devices, but it would be a surprise if such software didn't already exist. Sorry to not be of much help on this one. Awesome, thanks for weighing in on this. Looking forward to what you come up with when you find the time. Pauly Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.