/r/antiforensics
Learn how you can better your privacy by making it much more difficult to do any investigation on your computers.
Read articles, have discussions with fellow subscribers, or just share your stories!
Welcome to the Anti-Computer Forensics subreddit!
Hello, friend. Are you afraid the government is gonna go off the deepend and start knock random doors down checking all of your computers? Are you an activist fighting to preserve our human-rights from being walked all over? Afraid of the TSA asking you to open up your computer and spread your cheeks? Well this is the place for you to learn how to give your self just a bit more privacy.
Relevant topics:
Data hiding
Encryption
Steganography
Data obfuscation
Forensic booby-traps
Data wiping
Obscuring attack techniques
Trail obfuscation
Even anti-anti-forensics is welcome here!
Enjoy your stay. Contribution is greatly appreciate from anyone!
Remember: Anti-forensics is not a confession of illegal activities.
Knowledge is power.
/r/antiforensics
Is it possible to retrieve the data(airdropped logs form a week ago) for forensic audit team after factory reset?
I've been trying to get this app into my hands forva long time but it seems it isn't possible..Or is it? Any advice on this regard? Or at least suggest some free legall analogues please!
Let's assume WhatsApp on iPhone gets regularly backed up to cloud. There is an old WhatsApp chat box that I delete (I AM NOT TALKING ABOUT DELETE FOR EVERYONE FEATURE) and refresh the backup from time to time. Additionally some time also gets passed like months and years to that event along with change of iphones from one to two times. One important thing is that WhatsApp is never installed from fresh and it can't be done because of requirement of preserving work related chats. Will it be possible by forensics to retrieve that chat data given they have full access to mirrored data of phone? I don't think it would be possible for media but what about text? I have read about retrieving text from "chat search" in iOS where FBI investigated some years ago and I don't know if that vulnerability of something like that still there or not. On Android I have found some mixed results but couldn't make any conclusion. But overall I am more focused on iPhone.
How to safely destroy an SSD so that not even the FBI can recover what happened on it?
What sort of data recovery is possible on an iPhone 12, assuming the following:
Thank you.
Hi Everyone.
I'm currently using a Pixel 6a on Graphene OS with Wasted and Duress installed as anti-forensic tool counter measures. They work amazingly well.
I was just wondering, is there any apps available for IPhone that has similar features (obviously not the OS) I.e. Factory reset when data connection is made, if device not unlocked for (set number of days) factory reset. Is there also a duress password app for android? Wipe on entering certain password string?
I just read hackerfactor's article about C2PA and validated metadata.
https://www.hackerfactor.com/blog/index.php?/archives/1010-C2PAs-Butterfly-Effect.html
How can so many big companies get this so wrong? He includes explicit examples for creating forgeries with authenticated cryptographic signatures.
For those involved in computer forensics and incident response, do you frequently employ cold boot attacks against a suspects device? Under what circumstances would a cold boot attack be used?
Using Windows 10. Probably can't delete all the "evidence" data but at least could minimize them. Any suggestion?
Apologies if this is a stupid question; I don't know anything about TV hardware. Do TVs/computer monitors store what is displayed on them, even if only for a short period of time? (similar to volatile memory?) Or do TVs/monitors NOT have any capability to store data that is sent to them via HDMI? Is there any type of storage medium that can hold data either indefinitely or temporarily on modern TVs/monitors? I understand there is with smart TVs, but what about just conventional TVs/monitors?
Essentially, what I am asking is if you were using a computer connected to a monitor/TV as a display, and a third party got a hold of the monitor/TV, is it possible they could perform forensics on the monitor itself to acquire data to see what the user was doing on the computer? Or would this data be purely found on the computer, and no data stored on the monitor/TV?
In this scenario, the computer is not connected to the monitor/TV, and both the computer and TV are powered off with no continuous power supply to either device.
now that M.2 drives are so fast that there is no reason to use a disk cache, I still use a RAM disk for one reason: browser cache files, all downloads, and the windows paging file.
downloads are usually unzipped and thrown away. The browser cache files will be reloaded from the network the first time they're used. you don't notice it. The windows paging file actually runs faster and run out of fast memory from a a fast disk
When you switch your computer off all your activity goes away except what you save on purpose.
I have documents (pdf, txt, etc.) and photo files in the persistent storage of my Tails USB and I edit them using editors such as Libreoffice, Scribus, Okular, etc.(I always use tails OS in offline mode. I never connect to the internet.)
However, some of these documents and photo files must be taken out from this persistent storage to another external hard drive later.
These files taken out to an external hard drive will be moved to my other main laptop for routine use(of course using internet too).
I have a question here, do these files(pdf,txt,jpg,etc.) that were edited in Tails and taken out from Tails have traces of the Tails os?
I never want to be caught in the presence and use of Tails os.
Please exclude my tails USB itself(because no one knows its existence), can the existence and use of Tails Os be discovered through those files or the laptop?(In the extreme, if someone do forensics for those files or laptop).
If so, is there any way to completely remove the traces of presence and use of Tails OS from those files?
I accidentally reflashed my micro sd that had kali running. I know it uses flash memory so is that data just gone? Please help
Last night i screenshot a person and performed reverse image search via google and google found exact person page
Is there a software that can prevent such thing. For eg. alter image bits/pixels like that in antiforensic?
Hi, everyone. We are looking for privacy-conscious iOS users willing to beta-test a new app that you may find useful.
Praxis is a companion to your web browser that lets you quickly view any web page with all scripts, cookies, trackers, etc. on it completely blocked. This will prevent the site from tracking or identifying you, and in some cases will make for a more enjoyable reading experience without any ads or popups.
It’s basically like an Incognito mode on steroids that’s available from anywhere on your phone. You can use our share extension to quickly open Praxis directly from Safari, for example.
If you have an iPhone running iOS 16, you can sign up on TestFlight https://testflight.apple.com/join/LXPR9UVp
Your participation is completely anonymous. You can submit feedback via the built-in Apple interface, or just reach out on here if you have any questions.
✌️
So if I browse the Web with a normal browser without incognito mode, it stores information on my hard drive that can be forensically recovered. If i use tor, this runs entirely in ram so the above couldn't happen.
How about if I use a normal browser in private mode? Does this also run in ram, what data can be retrieved from say Firefox private browser mode after the fact e.g closed browser, restarted computer?
Also, if I own a USB which is ssd, it has a pirated copy of robo cop ( example only lol ) when I delete robo cop it is moved to the unallocated space where it will lay until rewritten.
When does this take place, assuming I use the drive ( fill it full of copies of terminator 2 )
When does this take place on a lux encrypted ssd?
I hear the file or part of its file could be moved to an inaccessible part of the usb, ( e.g If i have a 32gb USB with only 30gb accessible, that's the location I mean ). If this is the case, could a forensic team retrieve this or is it too costly to justify?
What would be your threat model/adversary to go to this level?
Would fully encrypting the disk erase said inaccesible location or the ability to retrieve?
Im guessing all your file activity and maybe every click it catalogued somewhere when using MAC OS and Windows.
Where do I start with the basics of finding out where and how these are stored? I will then want to purge them every so on.
Thanks in advance
Where are traces of using kali (cause its the most used by hacker) tools stored inside the system for forensics when the attacker's device is found during an investigation if he didn't delete or wipe them?In other words, where is the evidence of the crime stored inside the system (if he has kali on USB, CD, dual booted or even a VM) .
Hope my question is clear. Thank you in advance for your time reading my post.
First off I am a cypherpunk, which is any individual advocating widespread use of strong cryptography and privacy-enhancing technologies as a route to social and political change.
This is a complex subject for a lot, a lot of people dont understand the importance,usefulness or relevance of all this, for example merely the subject of plausible deniability(PD) in itself. But basically PD is useful when you are being compelled in a court of law to decrypt a drive. Or someone has a gun to your head, etc. Ideally you dont even want them to know the existence of the hidden content. Which is easier to accomplish with a Hard Disk Drive(HDD) rather than a Solid state(SSD) or flash drive. The reason why this is, from my understanding, is because of the following five things: 1.) Journaling File Systems, 2.) Defragmenting , 3.) Reallocated Sectors, 4.) Wear-Leveling, 5.) Trim Operation.
With a veracrypted HDD if you specifically create two veracrypted volumes, a decoy volume & a secondary hidden volume & then inside that hidden volume you create a virtual drive/OS(I was told the 2nd layer virtual OS is important although I dont fully understand why(See Link also.) You can then provide the "adversary"(government,etc) access/password to the decoy volume & claim nothing else on the drive is encrypted, & that it's merely overwritten with pseudorandom data. They both look the same. There is no way that I know of that experts can tell there is a hidden volume in it. But with an SSD or flash drives you can’t have plausible deniability like that because they have wear-leveling and "trim", you are not 100% safe with SSDs in regards to plausible deniability. A trim operation on SSDs could show attackers sectors that have been marked as free space, which is a disaster for plausible deniability when you delete files in the hidden volume. Wear-leveling can show an attacker multiple sectors changed over time, giving clues that sectors within the “free space” of the Veracrypt volume are actually sectors of a hidden volume. HDDs present less issues for plausible deniability. Correct me if I'm wrong please.
Basically, with SDD's if you refuse to give the "adversary"(government,etc) the password to your hidden veracrypted volume, & only give them the decoy password, experts can tell that the hidden voume is there/exists. And they can punish you for being uncooperative. This is only true for SSD's, not HDD's(that I know of). Like I've said, I've been told that the hidden non-decoy volume needs to be a veracrypted OS & then have a virtual OS inside that.
-----So on to the main point of my post, how can you have plausible deniability with an SSD? The main objective with plausible deniability is that it’s supposed to take the heat off you and make an adversary think they got what they wanted, appease them. With an SSD you wont be able to give them partial access to the veracrypted drive like you can with an HDD, correct me if I'm wrong. So I had the following idea, which is to have two SSD drives, or two devices with SSD's. But one of them you claim is corrupted, that you tried to veracrypt but there was an error,etc. And then the 2nd drive or device is the decoy one. For example, two laptops. Or you can even get a laptop that has two spots for two M.2 SSD drives. You can even put intentional dents/scrapes on the shell of the non decoy veracrypted SSD drive, make it appear damaged.
In regards to smartphones, you can get OS's that have hidden logins/profiles, along with decoy logins. But I am not sure how much plausible deniability they have.
-Thanks.
I plan to get an ASUS TUF F15 Gaming Laptop($500), because I want it to be high speed, excellent display graphics & also excellent audio. (Amazon)
Also it has a removable battery for OpSec reasons, removable hard drive & upgradable RAM.
I will have my OS encrypted with Veracrypt, seems that is the best way to make your data uncrackable. I guess a 194 bit password is the minimum length one should use(YMMV). I also like veracrypt because it has decoy OS's/logins. Lastly, there is no need for me to enter in a 194 bit long password, what i will do instead is first log into the 1st layer veracrypt login/OS, which will have gigabytes of random code, that will have my 194 bit passphrase hidden in it, i search for my 8 character keyword then copy the 194 bit password then paste it into my final real 2nd later veracrypted OS login. I will also have my 194 passphrase backed up & archived/hidden online, on a file uploading site, or archive.org.
In regards to what smartphone I will choose, I will either choose grapheneOS or maybe a linux based smartphone OS. There are specific things I want the OS to do, features. And I guess I might have to pay someone to code this for me, if I cant get the grapheneOS development team to do it. With a linux based OS, program code can easily be created, & python can be run, etc, it appears. Not sure about grapheneOS.
I'm not sure if I could pay someone to customize/enhance my grapheneOS, but I'm pretty sure I could with a linux OS. I've never owned a grapheneOS before. Also lastly, I am researching about encrypted SIM cards,encrypted eSIM services & also IMEI ID#. Any advice is welcome! -Thanks.
-Thanks.
I'm going to sell my Laptop icuding it's SSD. There's a lot of sensitve data on it so I'd like to clear it as good as possible.
I'm wondering if the hash for an old password, particular on android 12 on samsung, will be wiped so a hacker or feds won't be able to brute force the phone to recover it and decrypt the phone, or will I have to factory reset my phone to wipe the old encryption keys
I have a Windows laptop that has been formatted twice, once with the "keep files" option and then later with the "remove everything/clean install" option. The laptop has since been used a bit, and theres something like 50gb/500gb of free space left. Ill be giving this laptop away but need to still have it operational/windows installed
I wanted to make sure I removed anything from before the computer was formatted, or at least make it unrecoverable. Ive seen a few tools that allow complete wiping of the entire drive, but that wouldnt work as I need to keep the current windows installation
Are there any tools that allow me to specify what to wipe, something along the lines of doing data recovery and then specifically choosing the files to wipe? Ive done some basic data recovery (DMDE, Recuva etc) to see what all they can pull back, and would like to be able to securely delete some of the things they find