/r/antiforensics
Learn how you can better your privacy by making it much more difficult to do any investigation on your computers.
Read articles, have discussions with fellow subscribers, or just share your stories!
Welcome to the Anti-Computer Forensics subreddit!
Hello, friend. Are you afraid the government is gonna go off the deepend and start knock random doors down checking all of your computers? Are you an activist fighting to preserve our human-rights from being walked all over? Afraid of the TSA asking you to open up your computer and spread your cheeks? Well this is the place for you to learn how to give your self just a bit more privacy.
Relevant topics:
Data hiding
Encryption
Steganography
Data obfuscation
Forensic booby-traps
Data wiping
Obscuring attack techniques
Trail obfuscation
Even anti-anti-forensics is welcome here!
Enjoy your stay. Contribution is greatly appreciate from anyone!
Remember: Anti-forensics is not a confession of illegal activities.
Knowledge is power.
/r/antiforensics
Will the "inactivity reboot" in iOS 18.1 make it harder to get the data from a phone because of the BFU-mode after restart?
I was browsing XDA forums and came across this app- It's free, open-source, and designed to protect sensitive data from any kind of pressure that might force you to unlock your device. Thought it might be helpful for you.
Apparently, the dev was inspired by another app called Wasted by x13a, which could factory reset a device under duress using triggers like a special password or USB connection. While that’s great, factory resets can be obvious and risky if the person holding your device realizes what's going on. This app takes it up a notch by discreetly wiping data within a specific user profile, then uninstalling or hiding itself so it leaves as few traces as possible.
You can set it up to wipe data if a duress password is entered on the lock screen, if a USB device connects without approval, or after repeated failed password attempts. There are some other features available: disabling logs to hide apps actions, disabling safe boot mode and running TRIM after data destruction. App has versions disguised as other apps to make detection of it traces in system harder.
Looks interesting for me, though I'm not sure to what extent renaming package will protect against finding traces of app activity on device. Also app requires root rights for most advanced functions and you must use ADB to install it. You can check it out on GitHub for the full rundown.
I'd also be happy for any comments on it, specifically about its trustworthiness
I did a factory reset on my phone. The next morning I restarted my phone, and the first thing i seen was a black screen with the following words you phone was encrypted for security put in your password.
Mind you I have factory reseted my phone many times before and this never happened....whats going on?
As in the title, in connection with the ongoing investigation, the police took over my iPhone 15 with the iOS 18.0.1. Before they took it i put it into the BFU mode, u guys think what data will they be able to extract from the phone? I will add that the matter is big and I think they will want to get in at all costs.
I will keep this as short as possible..
I used to work in investigative journalism, just a group of amateur friends who started a mobile app about news and politics..
I live in an authoritarian country, and now there is a possibility of me and my friends being detained for the aforementioned activity.
We did most of our work on phone, you know.. documents, memos, screenshots..
My question is, how much can LE extract from a reset Android 10 (in a 3rd world country, with limited budget maybe).
Thank you everyone.
Hello everyone, I'm currently learning bash,
And to concretize my learning I would like to create a really useful script my goal is to create a script to remove all trace of my message on a linux machine.
I have several questions :
Is it ethical?(My goal is clearly not to delete my traces on a site I don't have the rights to.)
How do I proceed? (where can I find out about all the stuff I have to delete?)
I'm not an expert, so if you have any links to help me learn bash or improve my bash skills, I'd love to hear from you.
My goal is to have a cyber-related project to improve my bash skills.
Thank you in advance for your help.
Ssd are harder to wipe than hdd and easier to recover with forensic tools. What are the best ways to wipe an ssd to be unrecoverable by recovery tools but usable afterwards for maybe resale?
How to detect a gps tracker that works without internet or mobile phone but with an sd card?
My company has me using active killdisk for wiping hdds because its mostly affordable but especially because it create erasure certificates. I now need to securely wipe ssds for reuse. I understand that they best method for ssd data destruction is physical destruction but in this case we need to still have working drives afterwards for reuse inside the company. I was thinking about asking for an upgraded license for Active@ KillDisk Ultimate because it supports "low level" atp secure erase whatever that means. I was just wondering if anyone had any experience with secure erase with Active Killdisk or if there are any alternatives I should look at. Just to clarify I need software that create certificates so that is why I dont want to use trim or manufacturer specific software.
Thank you for your time
Hello everyone. I have a report (with forensics image by UFED) regarding some photographs extracted from an iPhone, where I suspect the photos were uploaded to the phone later with modified metadata before being uploaded. Is it possible to retrieve any information to understand if this has occurred?
If that's even possible.
Hi, in connection with the ongoing investigation, the police seized my computer with an SSD drive, well before their visit I reset windows to factory settings (selected the "clean drive" option in the additional settings, whatever that does) and then overwrote the free space 1 time (probably using zeros or random) by 3rd party software, how do you think what they will be able to recover, after all, I heard that overwriting data does not cooperate with SSDs.
Hi,
I was/am a suspect in a case, they got a warrant for my phone - forensics did their job - found shit.(no murder)
Device: Iphone 12 ( ios 17)
My question: Im thinking they could've put smth into my phone like a file that is streaming phone screen to their servers or smth like that. Do you think LE does this ? Im still going to factory reset this phone of mine, eventually sell it on eBay. I suggest u to do the same if you experienced smth similiar.
Kind Regards
edit: My bad... theres no open case yet, "found shit" - literally means poo, also fyi dont trap on droids xd
Camera which captures and sd card which stores. Let's say something was recorded/captured which camera saved in sd card, But sd card is destroyed. So does camera has any kind of logs about time when something was recorded with camera with date, time etc . Like logs ? Answer for both DSLR AND CCTV
Hi guys,
Im interested in forensics but just a question if you guys dont mind?
From my research all systems such as Cellebrite, Axiom, Oxygen and elcomsoft are industry standards but reading forums and reddit pages these systems do work with android and windows but the only issue is im very interested in apple devices specifically iPhones.
Clearly forensics on ios is hushed online ive literally seen forum pages been deleted but whys that?
I know apple constantly tries to block forensics on ios devices but companies find work around and around it constantly goes. I was talking to a PHD professor and she did state that its like a blackbox with foresnsics in iPhones its a void where its extremely quiet but sensitive.
I know you cannot do a physical extraction at all just an advanced ffs extraction but does that include previous application data such as thumbnails, login details, geographical information etc?
I know snapchat if the messages are not downloaded or saved they are gone forever this includes images aswell.
One thing is that icloud/itunes backups which can be downloaded and forensically analysed is possible but that can be anything.
I do know usage of cloud storage google drive, box, dropbox, terabox, mega, onedrive can have data but companies dont save the data if the passwords are lost but do the client devices obtain the data such as login data, thumbnails of images and videos which arent downloaded etc.
Any insights?
Is it possible to retrieve the data(airdropped logs form a week ago) for forensic audit team after factory reset?
I've been trying to get this app into my hands forva long time but it seems it isn't possible..Or is it? Any advice on this regard? Or at least suggest some free legall analogues please!
Let's assume WhatsApp on iPhone gets regularly backed up to cloud. There is an old WhatsApp chat box that I delete (I AM NOT TALKING ABOUT DELETE FOR EVERYONE FEATURE) and refresh the backup from time to time. Additionally some time also gets passed like months and years to that event along with change of iphones from one to two times. One important thing is that WhatsApp is never installed from fresh and it can't be done because of requirement of preserving work related chats. Will it be possible by forensics to retrieve that chat data given they have full access to mirrored data of phone? I don't think it would be possible for media but what about text? I have read about retrieving text from "chat search" in iOS where FBI investigated some years ago and I don't know if that vulnerability of something like that still there or not. On Android I have found some mixed results but couldn't make any conclusion. But overall I am more focused on iPhone.
How to safely destroy an SSD so that not even the FBI can recover what happened on it?
I just read hackerfactor's article about C2PA and validated metadata.
https://www.hackerfactor.com/blog/index.php?/archives/1010-C2PAs-Butterfly-Effect.html
How can so many big companies get this so wrong? He includes explicit examples for creating forgeries with authenticated cryptographic signatures.
For those involved in computer forensics and incident response, do you frequently employ cold boot attacks against a suspects device? Under what circumstances would a cold boot attack be used?
Using Windows 10. Probably can't delete all the "evidence" data but at least could minimize them. Any suggestion?
Apologies if this is a stupid question; I don't know anything about TV hardware. Do TVs/computer monitors store what is displayed on them, even if only for a short period of time? (similar to volatile memory?) Or do TVs/monitors NOT have any capability to store data that is sent to them via HDMI? Is there any type of storage medium that can hold data either indefinitely or temporarily on modern TVs/monitors? I understand there is with smart TVs, but what about just conventional TVs/monitors?
Essentially, what I am asking is if you were using a computer connected to a monitor/TV as a display, and a third party got a hold of the monitor/TV, is it possible they could perform forensics on the monitor itself to acquire data to see what the user was doing on the computer? Or would this data be purely found on the computer, and no data stored on the monitor/TV?
In this scenario, the computer is not connected to the monitor/TV, and both the computer and TV are powered off with no continuous power supply to either device.
now that M.2 drives are so fast that there is no reason to use a disk cache, I still use a RAM disk for one reason: browser cache files, all downloads, and the windows paging file.
downloads are usually unzipped and thrown away. The browser cache files will be reloaded from the network the first time they're used. you don't notice it. The windows paging file actually runs faster and run out of fast memory from a a fast disk
When you switch your computer off all your activity goes away except what you save on purpose.
I have documents (pdf, txt, etc.) and photo files in the persistent storage of my Tails USB and I edit them using editors such as Libreoffice, Scribus, Okular, etc.(I always use tails OS in offline mode. I never connect to the internet.)
However, some of these documents and photo files must be taken out from this persistent storage to another external hard drive later.
These files taken out to an external hard drive will be moved to my other main laptop for routine use(of course using internet too).
I have a question here, do these files(pdf,txt,jpg,etc.) that were edited in Tails and taken out from Tails have traces of the Tails os?
I never want to be caught in the presence and use of Tails os.
Please exclude my tails USB itself(because no one knows its existence), can the existence and use of Tails Os be discovered through those files or the laptop?(In the extreme, if someone do forensics for those files or laptop).
If so, is there any way to completely remove the traces of presence and use of Tails OS from those files?