/r/antiforensics

Photograph via snooOG

Learn how you can better your privacy by making it much more difficult to do any investigation on your computers.

Read articles, have discussions with fellow subscribers, or just share your stories!

About

Welcome to the Anti-Computer Forensics subreddit!

Hello, friend. Are you afraid the government is gonna go off the deepend and start knock random doors down checking all of your computers? Are you an activist fighting to preserve our human-rights from being walked all over? Afraid of the TSA asking you to open up your computer and spread your cheeks? Well this is the place for you to learn how to give your self just a bit more privacy.

Relevant topics:

  • Data hiding

  • Encryption

  • Steganography

  • Data obfuscation

  • Forensic booby-traps

  • Data wiping

  • Obscuring attack techniques

  • Trail obfuscation

  • Even anti-anti-forensics is welcome here!

Enjoy your stay. Contribution is greatly appreciate from anyone!

Remember: Anti-forensics is not a confession of illegal activities.

Knowledge is power.

Other great subreddits:

/r/ComputerForensics

/r/MemoryForensics

/r/Privacy

/r/Hacking

/r/NetSec

/r/Crypto

/r/GnuPG

/r/Programming

/r/DarknetPlan

/r/i2p

/r/Tor

Links:

Forensic Wiki

Anti-Forensics

Tor Project

I2P

/r/antiforensics

12,930 Subscribers

10

IOS forensics

Hi guys,

Im interested in forensics but just a question if you guys dont mind?

From my research all systems such as Cellebrite, Axiom, Oxygen and elcomsoft are industry standards but reading forums and reddit pages these systems do work with android and windows but the only issue is im very interested in apple devices specifically iPhones.

Clearly forensics on ios is hushed online ive literally seen forum pages been deleted but whys that?

I know apple constantly tries to block forensics on ios devices but companies find work around and around it constantly goes. I was talking to a PHD professor and she did state that its like a blackbox with foresnsics in iPhones its a void where its extremely quiet but sensitive.

I know you cannot do a physical extraction at all just an advanced ffs extraction but does that include previous application data such as thumbnails, login details, geographical information etc?

I know snapchat if the messages are not downloaded or saved they are gone forever this includes images aswell.

One thing is that icloud/itunes backups which can be downloaded and forensically analysed is possible but that can be anything.

I do know usage of cloud storage google drive, box, dropbox, terabox, mega, onedrive can have data but companies dont save the data if the passwords are lost but do the client devices obtain the data such as login data, thumbnails of images and videos which arent downloaded etc.

Any insights?

5 Comments
2024/05/19
13:13 UTC

1

Retrieve airdropped logs from mac laptop after factory reset

Is it possible to retrieve the data(airdropped logs form a week ago) for forensic audit team after factory reset?

0 Comments
2024/04/29
14:10 UTC

3

Is there any way to use Amped Five app without being cop/special service?

I've been trying to get this app into my hands forva long time but it seems it isn't possible..Or is it? Any advice on this regard? Or at least suggest some free legall analogues please!

1 Comment
2024/04/08
08:37 UTC

2

Is it possible for law enforcement/forensics to retrieve deleted WhatsApp text threads box in iOS or Android after a long time has passed?

Let's assume WhatsApp on iPhone gets regularly backed up to cloud. There is an old WhatsApp chat box that I delete (I AM NOT TALKING ABOUT DELETE FOR EVERYONE FEATURE) and refresh the backup from time to time. Additionally some time also gets passed like months and years to that event along with change of iphones from one to two times. One important thing is that WhatsApp is never installed from fresh and it can't be done because of requirement of preserving work related chats. Will it be possible by forensics to retrieve that chat data given they have full access to mirrored data of phone? I don't think it would be possible for media but what about text? I have read about retrieving text from "chat search" in iOS where FBI investigated some years ago and I don't know if that vulnerability of something like that still there or not. On Android I have found some mixed results but couldn't make any conclusion. But overall I am more focused on iPhone.

1 Comment
2024/04/04
16:53 UTC

5

Questions about SSD destruction

How to safely destroy an SSD so that not even the FBI can recover what happened on it?

10 Comments
2024/01/30
08:26 UTC

7

What sort of data recovery is possible on an iPhone 12?

What sort of data recovery is possible on an iPhone 12, assuming the following:

  1. The phone is fully updated to iOS 17.2.1
  2. Erase Data is enabled.
  3. USB Restricted Mode is enabled.
  4. The iPhone is locked w/ a PIN code, but was acquired in an "AFU" state.

Thank you.

11 Comments
2024/01/22
05:15 UTC

4

Anti-Forensic/Cellebrite Apps for Iphone

Hi Everyone.

I'm currently using a Pixel 6a on Graphene OS with Wasted and Duress installed as anti-forensic tool counter measures. They work amazingly well.

I was just wondering, is there any apps available for IPhone that has similar features (obviously not the OS) I.e. Factory reset when data connection is made, if device not unlocked for (set number of days) factory reset. Is there also a duress password app for android? Wipe on entering certain password string?

1 Comment
2024/01/13
11:54 UTC

4

If i download a jpg from social media, what trackable metadata will it have in the file itself? and does my PC attach trackable metadata to the jpg if I share it to someone else anonymously? -Thanks

5 Comments
2023/12/23
09:59 UTC

4

Creating authentic forgeries with C2PA

I just read hackerfactor's article about C2PA and validated metadata.

https://www.hackerfactor.com/blog/index.php?/archives/1010-C2PAs-Butterfly-Effect.html

How can so many big companies get this so wrong? He includes explicit examples for creating forgeries with authenticated cryptographic signatures.

0 Comments
2023/11/18
18:19 UTC

6

Are cold boot attacks used frequently during incident response?

For those involved in computer forensics and incident response, do you frequently employ cold boot attacks against a suspects device? Under what circumstances would a cold boot attack be used?

5 Comments
2023/08/26
17:27 UTC

0

How do I delete evidences and history of every file, game, program on my computer ever?

Using Windows 10. Probably can't delete all the "evidence" data but at least could minimize them. Any suggestion?

10 Comments
2023/08/17
13:35 UTC

3

Is it possible to perform a forensic acquisition on a TV/monitor screen?

Apologies if this is a stupid question; I don't know anything about TV hardware. Do TVs/computer monitors store what is displayed on them, even if only for a short period of time? (similar to volatile memory?) Or do TVs/monitors NOT have any capability to store data that is sent to them via HDMI? Is there any type of storage medium that can hold data either indefinitely or temporarily on modern TVs/monitors? I understand there is with smart TVs, but what about just conventional TVs/monitors?

Essentially, what I am asking is if you were using a computer connected to a monitor/TV as a display, and a third party got a hold of the monitor/TV, is it possible they could perform forensics on the monitor itself to acquire data to see what the user was doing on the computer? Or would this data be purely found on the computer, and no data stored on the monitor/TV?

In this scenario, the computer is not connected to the monitor/TV, and both the computer and TV are powered off with no continuous power supply to either device.

8 Comments
2023/08/09
12:06 UTC

5

case of the disappearing evidence!!

now that M.2 drives are so fast that there is no reason to use a disk cache, I still use a RAM disk for one reason: browser cache files, all downloads, and the windows paging file.

downloads are usually unzipped and thrown away. The browser cache files will be reloaded from the network the first time they're used. you don't notice it. The windows paging file actually runs faster and run out of fast memory from a a fast disk

When you switch your computer off all your activity goes away except what you save on purpose.

0 Comments
2023/08/05
14:28 UTC

6

Files taken out from Tails have traces of Tails?

I have documents (pdf, txt, etc.) and photo files in the persistent storage of my Tails USB and I edit them using editors such as Libreoffice, Scribus, Okular, etc.(I always use tails OS in offline mode. I never connect to the internet.)

However, some of these documents and photo files must be taken out from this persistent storage to another external hard drive later.

These files taken out to an external hard drive will be moved to my other main laptop for routine use(of course using internet too).

I have a question here, do these files(pdf,txt,jpg,etc.) that were edited in Tails and taken out from Tails have traces of the Tails os?

I never want to be caught in the presence and use of Tails os.

Please exclude my tails USB itself(because no one knows its existence), can the existence and use of Tails Os be discovered through those files or the laptop?(In the extreme, if someone do forensics for those files or laptop).

If so, is there any way to completely remove the traces of presence and use of Tails OS from those files?

5 Comments
2023/06/27
06:19 UTC

2

Does flashing a micro sd make the files unrecoverable?

I accidentally reflashed my micro sd that had kali running. I know it uses flash memory so is that data just gone? Please help

3 Comments
2023/06/11
18:01 UTC

11

Defeat Reverse Image

Last night i screenshot a person and performed reverse image search via google and google found exact person page

Is there a software that can prevent such thing. For eg. alter image bits/pixels like that in antiforensic?

3 Comments
2023/04/28
09:45 UTC

11

Beta-test a 'burner' browser iOS app that blocks everything by default. Looking for feedback

Hi, everyone. We are looking for privacy-conscious iOS users willing to beta-test a new app that you may find useful.

Praxis is a companion to your web browser that lets you quickly view any web page with all scripts, cookies, trackers, etc. on it completely blocked. This will prevent the site from tracking or identifying you, and in some cases will make for a more enjoyable reading experience without any ads or popups.

It’s basically like an Incognito mode on steroids that’s available from anywhere on your phone. You can use our share extension to quickly open Praxis directly from Safari, for example.

If you have an iPhone running iOS 16, you can sign up on TestFlight https://testflight.apple.com/join/LXPR9UVp

Your participation is completely anonymous. You can submit feedback via the built-in Apple interface, or just reach out on here if you have any questions.

✌️

0 Comments
2023/04/19
10:51 UTC

8

Private browsers and ssds

So if I browse the Web with a normal browser without incognito mode, it stores information on my hard drive that can be forensically recovered. If i use tor, this runs entirely in ram so the above couldn't happen.

How about if I use a normal browser in private mode? Does this also run in ram, what data can be retrieved from say Firefox private browser mode after the fact e.g closed browser, restarted computer?

Also, if I own a USB which is ssd, it has a pirated copy of robo cop ( example only lol ) when I delete robo cop it is moved to the unallocated space where it will lay until rewritten.

When does this take place, assuming I use the drive ( fill it full of copies of terminator 2 )

When does this take place on a lux encrypted ssd?

I hear the file or part of its file could be moved to an inaccessible part of the usb, ( e.g If i have a 32gb USB with only 30gb accessible, that's the location I mean ). If this is the case, could a forensic team retrieve this or is it too costly to justify?

What would be your threat model/adversary to go to this level?

Would fully encrypting the disk erase said inaccesible location or the ability to retrieve?

5 Comments
2023/03/11
13:19 UTC

20

Anti-Forensics: Reverse Engineering a Leading Phone Forensic Tool (Celebrite)

1 Comment
2023/03/10
12:18 UTC

12

Idiots guide to what traces and footprints are stored on the most popular operating systems

Im guessing all your file activity and maybe every click it catalogued somewhere when using MAC OS and Windows.

Where do I start with the basics of finding out where and how these are stored? I will then want to purge them every so on.

Thanks in advance

5 Comments
2022/12/19
20:23 UTC

0

Where are traces on attacker's machine stored?

Where are traces of using kali (cause its the most used by hacker) tools stored inside the system for forensics when the attacker's device is found during an investigation if he didn't delete or wipe them?In other words, where is the evidence of the crime stored inside the system (if he has kali on USB, CD, dual booted or even a VM) .

Hope my question is clear. Thank you in advance for your time reading my post.

1 Comment
2022/12/19
17:26 UTC

6

I think I've found a way to have plausible deniability with a veracrypted drive, specifically with SSD's.

First off I am a cypherpunk, which is any individual advocating widespread use of strong cryptography and privacy-enhancing technologies as a route to social and political change.

This is a complex subject for a lot, a lot of people dont understand the importance,usefulness or relevance of all this, for example merely the subject of plausible deniability(PD) in itself. But basically PD is useful when you are being compelled in a court of law to decrypt a drive. Or someone has a gun to your head, etc. Ideally you dont even want them to know the existence of the hidden content. Which is easier to accomplish with a Hard Disk Drive(HDD) rather than a Solid state(SSD) or flash drive. The reason why this is, from my understanding, is because of the following five things: 1.) Journaling File Systems, 2.) Defragmenting , 3.) Reallocated Sectors, 4.) Wear-Leveling, 5.) Trim Operation.

With a veracrypted HDD if you specifically create two veracrypted volumes, a decoy volume & a secondary hidden volume & then inside that hidden volume you create a virtual drive/OS(I was told the 2nd layer virtual OS is important although I dont fully understand why(See Link also.) You can then provide the "adversary"(government,etc) access/password to the decoy volume & claim nothing else on the drive is encrypted, & that it's merely overwritten with pseudorandom data. They both look the same. There is no way that I know of that experts can tell there is a hidden volume in it. But with an SSD or flash drives you can’t have plausible deniability like that because they have wear-leveling and "trim", you are not 100% safe with SSDs in regards to plausible deniability. A trim operation on SSDs could show attackers sectors that have been marked as free space, which is a disaster for plausible deniability when you delete files in the hidden volume. Wear-leveling can show an attacker multiple sectors changed over time, giving clues that sectors within the “free space” of the Veracrypt volume are actually sectors of a hidden volume. HDDs present less issues for plausible deniability. Correct me if I'm wrong please.

Basically, with SDD's if you refuse to give the "adversary"(government,etc) the password to your hidden veracrypted volume, & only give them the decoy password, experts can tell that the hidden voume is there/exists. And they can punish you for being uncooperative. This is only true for SSD's, not HDD's(that I know of). Like I've said, I've been told that the hidden non-decoy volume needs to be a veracrypted OS & then have a virtual OS inside that.

-----So on to the main point of my post, how can you have plausible deniability with an SSD? The main objective with plausible deniability is that it’s supposed to take the heat off you and make an adversary think they got what they wanted, appease them. With an SSD you wont be able to give them partial access to the veracrypted drive like you can with an HDD, correct me if I'm wrong. So I had the following idea, which is to have two SSD drives, or two devices with SSD's. But one of them you claim is corrupted, that you tried to veracrypt but there was an error,etc. And then the 2nd drive or device is the decoy one. For example, two laptops. Or you can even get a laptop that has two spots for two M.2 SSD drives. You can even put intentional dents/scrapes on the shell of the non decoy veracrypted SSD drive, make it appear damaged.

In regards to smartphones, you can get OS's that have hidden logins/profiles, along with decoy logins. But I am not sure how much plausible deniability they have.

10 Comments
2022/11/21
00:14 UTC

5

Why would this redditor want to disable his ME(management engine?) on his laptop with libreboot/coreboot?

3 Comments
2022/11/18
05:09 UTC

14

Question: How to prevent your hard drive(s) from having government level spyware hidden into it from the factory? See links below.

4 Comments
2022/11/15
23:29 UTC

7

A redditor claimed that there were rumors that a data only SIM exists & that it only connects to one cellphone tower at a time, which prevents pinpointing of your location, have you heard of this?

-Thanks.

4 Comments
2022/11/15
21:48 UTC

1

What my current privacy-based laptop/smartphone plan/setup is looking like/will be. Any advice?

I plan to get an ASUS TUF F15 Gaming Laptop($500), because I want it to be high speed, excellent display graphics & also excellent audio. (Amazon)

Also it has a removable battery for OpSec reasons, removable hard drive & upgradable RAM.
I will have my OS encrypted with Veracrypt, seems that is the best way to make your data uncrackable. I guess a 194 bit password is the minimum length one should use(YMMV). I also like veracrypt because it has decoy OS's/logins. Lastly, there is no need for me to enter in a 194 bit long password, what i will do instead is first log into the 1st layer veracrypt login/OS, which will have gigabytes of random code, that will have my 194 bit passphrase hidden in it, i search for my 8 character keyword then copy the 194 bit password then paste it into my final real 2nd later veracrypted OS login. I will also have my 194 passphrase backed up & archived/hidden online, on a file uploading site, or archive.org.

In regards to what smartphone I will choose, I will either choose grapheneOS or maybe a linux based smartphone OS. There are specific things I want the OS to do, features. And I guess I might have to pay someone to code this for me, if I cant get the grapheneOS development team to do it. With a linux based OS, program code can easily be created, & python can be run, etc, it appears. Not sure about grapheneOS.
I'm not sure if I could pay someone to customize/enhance my grapheneOS, but I'm pretty sure I could with a linux OS. I've never owned a grapheneOS before. Also lastly, I am researching about encrypted SIM cards,encrypted eSIM services & also IMEI ID#. Any advice is welcome! -Thanks.

15 Comments
2022/11/13
19:07 UTC

0

How can you encrypt your SIM card, or use a virtual SIM/eSIM, that will prevent forensics from being able to see any data about it, such as it's phone number, etc?

-Thanks.

9 Comments
2022/11/10
15:27 UTC

5

Cool way to detect antiforesic notty malicious ssh shells: https://twitter.com/gabriele_pippi/status/1579480547499573248?t=dAWsJzRS1-2tYdE7TJQoOQ&s=19

0 Comments
2022/10/10
18:20 UTC

10

Best way to clear SSD before selling Laptop ?

I'm going to sell my Laptop icuding it's SSD. There's a lot of sensitve data on it so I'd like to clear it as good as possible.

19 Comments
2022/09/28
17:11 UTC

0

I set a weak password on my android, will a hacker be able to brute force the encryption keys of old password to decrypt it?

I'm wondering if the hash for an old password, particular on android 12 on samsung, will be wiped so a hacker or feds won't be able to brute force the phone to recover it and decrypt the phone, or will I have to factory reset my phone to wipe the old encryption keys

3 Comments
2022/08/17
22:42 UTC

Back To Top