/r/antiforensics

Photograph via snooOG

Learn how you can better your privacy by making it much more difficult to do any investigation on your computers.

Read articles, have discussions with fellow subscribers, or just share your stories!

About

Welcome to the Anti-Computer Forensics subreddit!

Hello, friend. Are you afraid the government is gonna go off the deepend and start knock random doors down checking all of your computers? Are you an activist fighting to preserve our human-rights from being walked all over? Afraid of the TSA asking you to open up your computer and spread your cheeks? Well this is the place for you to learn how to give your self just a bit more privacy.

Relevant topics:

  • Data hiding

  • Encryption

  • Steganography

  • Data obfuscation

  • Forensic booby-traps

  • Data wiping

  • Obscuring attack techniques

  • Trail obfuscation

  • Even anti-anti-forensics is welcome here!

Enjoy your stay. Contribution is greatly appreciate from anyone!

Remember: Anti-forensics is not a confession of illegal activities.

Knowledge is power.

Other great subreddits:

/r/ComputerForensics

/r/MemoryForensics

/r/Privacy

/r/Hacking

/r/NetSec

/r/Crypto

/r/GnuPG

/r/Programming

/r/DarknetPlan

/r/i2p

/r/Tor

Links:

Forensic Wiki

Anti-Forensics

Tor Project

I2P

/r/antiforensics

13,563 Subscribers

9

Will the new feature "inactivity reboot" in iOS 18.1 make it harder to get the data from a phone?

Will the "inactivity reboot" in iOS 18.1 make it harder to get the data from a phone because of the BFU-mode after restart?

8 Comments
2024/11/09
14:02 UTC

14

Anti-Forensics for Android on XDA

I was browsing XDA forums and came across this app- It's free, open-source, and designed to protect sensitive data from any kind of pressure that might force you to unlock your device. Thought it might be helpful for you.

Apparently, the dev was inspired by another app called Wasted by x13a, which could factory reset a device under duress using triggers like a special password or USB connection. While that’s great, factory resets can be obvious and risky if the person holding your device realizes what's going on. This app takes it up a notch by discreetly wiping data within a specific user profile, then uninstalling or hiding itself so it leaves as few traces as possible.

You can set it up to wipe data if a duress password is entered on the lock screen, if a USB device connects without approval, or after repeated failed password attempts. There are some other features available: disabling logs to hide apps actions, disabling safe boot mode and running TRIM after data destruction. App has versions disguised as other apps to make detection of it traces in system harder.

Looks interesting for me, though I'm not sure to what extent renaming package will protect against finding traces of app activity on device. Also app requires root rights for most advanced functions and you must use ADB to install it. You can check it out on GitHub for the full rundown.

I'd also be happy for any comments on it, specifically about its trustworthiness

4 Comments
2024/10/29
17:31 UTC

2

Samsung galaxy note

I did a factory reset on my phone. The next morning I restarted my phone, and the first thing i seen was a black screen with the following words you phone was encrypted for security put in your password.

Mind you I have factory reseted my phone many times before and this never happened....whats going on?

0 Comments
2024/10/21
17:53 UTC

12

Law Enforcement vs locked iPhone 15

As in the title, in connection with the ongoing investigation, the police took over my iPhone 15 with the iOS 18.0.1. Before they took it i put it into the BFU mode, u guys think what data will they be able to extract from the phone? I will add that the matter is big and I think they will want to get in at all costs.

15 Comments
2024/10/17
20:16 UTC

5

Need Help

I will keep this as short as possible..

I used to work in investigative journalism, just a group of amateur friends who started a mobile app about news and politics..

I live in an authoritarian country, and now there is a possibility of me and my friends being detained for the aforementioned activity.

We did most of our work on phone, you know.. documents, memos, screenshots..

My question is, how much can LE extract from a reset Android 10 (in a 3rd world country, with limited budget maybe).

Thank you everyone.

7 Comments
2024/10/05
20:52 UTC

11

Bash script to remove all traces

Hello everyone, I'm currently learning bash,

And to concretize my learning I would like to create a really useful script my goal is to create a script to remove all trace of my message on a linux machine.
I have several questions :

Is it ethical?(My goal is clearly not to delete my traces on a site I don't have the rights to.)
How do I proceed? (where can I find out about all the stuff I have to delete?)

I'm not an expert, so if you have any links to help me learn bash or improve my bash skills, I'd love to hear from you.
My goal is to have a cyber-related project to improve my bash skills.

Thank you in advance for your help.

10 Comments
2024/08/19
15:13 UTC

6

Best ways to wipe an ssd thread

Ssd are harder to wipe than hdd and easier to recover with forensic tools. What are the best ways to wipe an ssd to be unrecoverable by recovery tools but usable afterwards for maybe resale?

16 Comments
2024/08/04
11:20 UTC

3

Detect gps tracker offline

How to detect a gps tracker that works without internet or mobile phone but with an sd card?

3 Comments
2024/08/03
20:54 UTC

7

Anyone used Active Killdisk Secure Erase

My company has me using active killdisk for wiping hdds because its mostly affordable but especially because it create erasure certificates. I now need to securely wipe ssds for reuse. I understand that they best method for ssd data destruction is physical destruction but in this case we need to still have working drives afterwards for reuse inside the company. I was thinking about asking for an upgraded license for Active@ KillDisk Ultimate because it supports "low level" atp secure erase whatever that means. I was just wondering if anyone had any experience with secure erase with Active Killdisk or if there are any alternatives I should look at. Just to clarify I need software that create certificates so that is why I dont want to use trim or manufacturer specific software.

Thank you for your time

6 Comments
2024/07/25
21:02 UTC

2

Edited photo

Hello everyone. I have a report (with forensics image by UFED) regarding some photographs extracted from an iPhone, where I suspect the photos were uploaded to the phone later with modified metadata before being uploaded. Is it possible to retrieve any information to understand if this has occurred?

3 Comments
2024/06/29
09:18 UTC

3

where can i find the IEEE 2883-2022 paper? everything has a strong paywall, even scihub doesnt have it.

8 Comments
2024/06/23
06:17 UTC

11

How to make sure data is wiped permanently and beyond recovery for an HDD without drilling a hole in it ?

If that's even possible.

13 Comments
2024/06/22
06:46 UTC

10

Overwriten SSD vs Law Enfrocement Data Recovery

Hi, in connection with the ongoing investigation, the police seized my computer with an SSD drive, well before their visit I reset windows to factory settings (selected the "clean drive" option in the additional settings, whatever that does) and then overwrote the free space 1 time (probably using zeros or random) by 3rd party software, how do you think what they will be able to recover, after all, I heard that overwriting data does not cooperate with SSDs.

11 Comments
2024/06/18
18:37 UTC

8

LawEenforcement returned my device (Europe)

Hi,

I was/am a suspect in a case, they got a warrant for my phone - forensics did their job - found shit.(no murder)

Device: Iphone 12 ( ios 17)

My question: Im thinking they could've put smth into my phone like a file that is streaming phone screen to their servers or smth like that. Do you think LE does this ? Im still going to factory reset this phone of mine, eventually sell it on eBay. I suggest u to do the same if you experienced smth similiar.

Kind Regards

edit: My bad... theres no open case yet, "found shit" - literally means poo, also fyi dont trap on droids xd

21 Comments
2024/06/09
09:39 UTC

3

Question about camera and logs

Camera which captures and sd card which stores. Let's say something was recorded/captured which camera saved in sd card, But sd card is destroyed. So does camera has any kind of logs about time when something was recorded with camera with date, time etc . Like logs ? Answer for both DSLR AND CCTV

1 Comment
2024/06/05
18:33 UTC

12

IOS forensics

Hi guys,

Im interested in forensics but just a question if you guys dont mind?

From my research all systems such as Cellebrite, Axiom, Oxygen and elcomsoft are industry standards but reading forums and reddit pages these systems do work with android and windows but the only issue is im very interested in apple devices specifically iPhones.

Clearly forensics on ios is hushed online ive literally seen forum pages been deleted but whys that?

I know apple constantly tries to block forensics on ios devices but companies find work around and around it constantly goes. I was talking to a PHD professor and she did state that its like a blackbox with foresnsics in iPhones its a void where its extremely quiet but sensitive.

I know you cannot do a physical extraction at all just an advanced ffs extraction but does that include previous application data such as thumbnails, login details, geographical information etc?

I know snapchat if the messages are not downloaded or saved they are gone forever this includes images aswell.

One thing is that icloud/itunes backups which can be downloaded and forensically analysed is possible but that can be anything.

I do know usage of cloud storage google drive, box, dropbox, terabox, mega, onedrive can have data but companies dont save the data if the passwords are lost but do the client devices obtain the data such as login data, thumbnails of images and videos which arent downloaded etc.

Any insights?

4 Comments
2024/05/19
13:13 UTC

1

Retrieve airdropped logs from mac laptop after factory reset

Is it possible to retrieve the data(airdropped logs form a week ago) for forensic audit team after factory reset?

0 Comments
2024/04/29
14:10 UTC

4

Is there any way to use Amped Five app without being cop/special service?

I've been trying to get this app into my hands forva long time but it seems it isn't possible..Or is it? Any advice on this regard? Or at least suggest some free legall analogues please!

1 Comment
2024/04/08
08:37 UTC

2

Is it possible for law enforcement/forensics to retrieve deleted WhatsApp text threads box in iOS or Android after a long time has passed?

Let's assume WhatsApp on iPhone gets regularly backed up to cloud. There is an old WhatsApp chat box that I delete (I AM NOT TALKING ABOUT DELETE FOR EVERYONE FEATURE) and refresh the backup from time to time. Additionally some time also gets passed like months and years to that event along with change of iphones from one to two times. One important thing is that WhatsApp is never installed from fresh and it can't be done because of requirement of preserving work related chats. Will it be possible by forensics to retrieve that chat data given they have full access to mirrored data of phone? I don't think it would be possible for media but what about text? I have read about retrieving text from "chat search" in iOS where FBI investigated some years ago and I don't know if that vulnerability of something like that still there or not. On Android I have found some mixed results but couldn't make any conclusion. But overall I am more focused on iPhone.

1 Comment
2024/04/04
16:53 UTC

6

Questions about SSD destruction

How to safely destroy an SSD so that not even the FBI can recover what happened on it?

9 Comments
2024/01/30
08:26 UTC

4

If i download a jpg from social media, what trackable metadata will it have in the file itself? and does my PC attach trackable metadata to the jpg if I share it to someone else anonymously? -Thanks

5 Comments
2023/12/23
09:59 UTC

5

Creating authentic forgeries with C2PA

I just read hackerfactor's article about C2PA and validated metadata.

https://www.hackerfactor.com/blog/index.php?/archives/1010-C2PAs-Butterfly-Effect.html

How can so many big companies get this so wrong? He includes explicit examples for creating forgeries with authenticated cryptographic signatures.

0 Comments
2023/11/18
18:19 UTC

7

Are cold boot attacks used frequently during incident response?

For those involved in computer forensics and incident response, do you frequently employ cold boot attacks against a suspects device? Under what circumstances would a cold boot attack be used?

5 Comments
2023/08/26
17:27 UTC

0

How do I delete evidences and history of every file, game, program on my computer ever?

Using Windows 10. Probably can't delete all the "evidence" data but at least could minimize them. Any suggestion?

10 Comments
2023/08/17
13:35 UTC

5

Is it possible to perform a forensic acquisition on a TV/monitor screen?

Apologies if this is a stupid question; I don't know anything about TV hardware. Do TVs/computer monitors store what is displayed on them, even if only for a short period of time? (similar to volatile memory?) Or do TVs/monitors NOT have any capability to store data that is sent to them via HDMI? Is there any type of storage medium that can hold data either indefinitely or temporarily on modern TVs/monitors? I understand there is with smart TVs, but what about just conventional TVs/monitors?

Essentially, what I am asking is if you were using a computer connected to a monitor/TV as a display, and a third party got a hold of the monitor/TV, is it possible they could perform forensics on the monitor itself to acquire data to see what the user was doing on the computer? Or would this data be purely found on the computer, and no data stored on the monitor/TV?

In this scenario, the computer is not connected to the monitor/TV, and both the computer and TV are powered off with no continuous power supply to either device.

8 Comments
2023/08/09
12:06 UTC

4

case of the disappearing evidence!!

now that M.2 drives are so fast that there is no reason to use a disk cache, I still use a RAM disk for one reason: browser cache files, all downloads, and the windows paging file.

downloads are usually unzipped and thrown away. The browser cache files will be reloaded from the network the first time they're used. you don't notice it. The windows paging file actually runs faster and run out of fast memory from a a fast disk

When you switch your computer off all your activity goes away except what you save on purpose.

0 Comments
2023/08/05
14:28 UTC

5

Files taken out from Tails have traces of Tails?

I have documents (pdf, txt, etc.) and photo files in the persistent storage of my Tails USB and I edit them using editors such as Libreoffice, Scribus, Okular, etc.(I always use tails OS in offline mode. I never connect to the internet.)

However, some of these documents and photo files must be taken out from this persistent storage to another external hard drive later.

These files taken out to an external hard drive will be moved to my other main laptop for routine use(of course using internet too).

I have a question here, do these files(pdf,txt,jpg,etc.) that were edited in Tails and taken out from Tails have traces of the Tails os?

I never want to be caught in the presence and use of Tails os.

Please exclude my tails USB itself(because no one knows its existence), can the existence and use of Tails Os be discovered through those files or the laptop?(In the extreme, if someone do forensics for those files or laptop).

If so, is there any way to completely remove the traces of presence and use of Tails OS from those files?

5 Comments
2023/06/27
06:19 UTC

Back To Top