Anti-Forensics

From The Black OP Security Wiki

  Main Page >> Anti-Forensics

Contents 1 How To Install 1.1 Disable Built in Forensics: Windows (XP mostly) 1.1.1 Disable UserAssit 1.1.2 Disable Index.dat 1.1.3 General Protection + Protect Crypto Keys 1.2 Anti-Forensic Software: Windows 1.2.1 TimeStomp 1.2.2 Slacker 1.2.3 Transmorgify 2 How It Works 2.1 (Anti)Forensics FAQ 2.2 Forensic Data Recovery & Countermeasures 2.2.1 CDs 2.2.2 Hard Drives 2.3 Recovering Data 2.4 Deleting Data 2.5 Forensic Data 2.6 Forensic Data Examination

How To Install

  If you have problems with this tutorial - feel free to check out our Support Forums

Disable Built in Forensics: Windows (XP mostly)

Disable UserAssit

Userassist is a program on windows XP that logs the date and time you launch certain programs. It is used to generate your recently used programs list, so disabling this will disable that. It is mostly used by forensic teams to build a digital time line.

1. To disable UserAssit we need to edit the registry. Go to your start menu and select run.

2. Now run regedit to edit your registry.

3. Using the side tabs, go to currentuser\software\microsoft\windows\currentversion\explorer\userassist

Payment Techniques

4. here are two subkeys under Userassist, they have long names that look like serial numbers. Under each of these subkeys is a key called Count. Delete both of the Count keys.

5. Add a new subkey called “Settings” under the Userassist key, to do this use the right mouse button under the Userassist key and select new>key.

6. Add the DWORD value “NoLog” in the settings subkey. To do this, select the settings subkey and then in the blank screen to the right of the side tabs, right click. Select the new DWORD option, and name the DWORD “NoLog”

7. Change the setting of the “NoLog” DWORD value to “1”

8. Congrats, you disabled UserAssist and hurt a forensic teams ability to investigate you.

Disable Index.dat

This is possibly one of the biggest forensic tools in windows and it is hard to remove (Surely made that way on purpose). It logs pretty much every search you make from internet explorer and tons of other information on what you do. It is impossible to delete unless you enter safe mode. It is frequently used by forensic teams to build cases against people. It also takes up increasingly more and more space the longer you run your computer it never deletes the logs so between formats ALL your searches from day one are stored on your computer, and after a while that will be hundreds of megs of wasted drive space.

To remove this "feature", reboot your computer in safe mode and login as administrator. Launch a command prompt and type in CD\ and then hit enter. Now type in del index.dat /s and hit enter. You have now removed your index.dat file forever, dealing another great blow to forensics teams.

General Protection + Protect Crypto Keys

1. System restore points are to restore the system to an earlier date in case you mess up drivers or something. Some people use them, most never do. They take up a lot of room, and open a lot of doors to forensics teams. They can compare your system at different points in time and can use this to help build a time frame. System restore also comes in handy for virus writers, even if you remove a virus it will be hiding out in your system restore files just waiting.

To disable System Restore points, simply right click on My Computer and go to Properties, then click on the system restore tab. From here, check the disable box.

2. Turn off hibernation mode. Hibernation mode is used to save resources by letting you shut down the computer when it isn't being used, but being able to restore the shut down state to not lose work. This is very dangerous to certain types of encryption (primarily mounted OTFE, like Truecrypt) that store the key in ram, as your key will be written plain text to the drive from ram as the machine switches to hibernation mode. This key can then be extracted by a skilled computer forensics team.

To disable this, go to the control panel and, under classical view, select power options. Go to the hibernate tab and ensure that the box next to hibernate is not checked. It seems some systems will not have the option to hibernate in the first place.

3. Disable power being cut to the hard drive. Go to control panel in classical view, select power options, and select to never cut power to the hard drive.

4. Disable stand by from the registry. This removes the ability to manually stand by. It is better to turn it off all the way to make sure no mistakes happen.

To do this, create a new text document and name it disable stand by. Rename the files extension to .reg (you will need extensions visible in order to do this, don't make it .reg.txt with a hidden .txt really make it .reg). Now, open the reg file with notepad and add the following text to it:

Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ACPI\Parameters] "AMLIMaxCTObjs"=hex:04,00,00,00 "Attributes"=dword:00000070 [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ACPI\Parameters\WakeUp] "FixedEventMask"=hex:20,05 "FixedEventStatus"=hex:00,84 "GenericEventMask"=hex:18,50,00,10 "GenericEventStatus"=hex:10,00,ff,00

5. Disable the page file (aka: swap space). The memory dump is a section of the hard drive RAM will write out to if it is ever full. If a plain text key is in ram and gets written out to the drive, it can be retrieved by skilled computer forensic teams.

To do this, right click on My Computer, then go to properties and click on the advanced tab. Under start up and recovery, go to settings. under “Write debugging information” change the drop down bar to “none”.

6. Disable the last accessed timestamp. The four NTFS timestamps are used by forensic teams to create digital time lines. Encase is a popular program used by the FBI to do this. You can use the anti forensic program Timestomp to modify and forge all four timestamps. I talk about this in the anti-forensic software tutorial. As far as disabling timestamps from the system goes, you can only disable last accessed. I do suggest everyone disables last accessed time stamps system wide.

Notice: If you use back up software, or other software that depends on timestamps, you may not want to do this. Weigh the benefit of keeping full drive back ups with the benefit of disabling forensics abilities to create accurate time lines.

To disable last accessed time stamp, open a command prompt and type in the following command: fsutil behavior set disablelastaccess 1

Anti-Forensic Software: Windows

TimeStomp

TimeStomp is an anti-forensic tool that allows for you to forge all four ntfs timestamps on files. TimeStomp can also be used to modify files in such a way that older versions of EnCase can not view any time data on them at all (expect most federal LE to have more modern versions of EnCase, but many non-federal organizations that do computer forensics may not). This has a variety of uses. First of all, you can change the timestamp dates on encrypted information to make it look like it was created and last used a long time ago. This can come in handy as a good reason why you "forgot" the password (Hey I have not used that file for two years, just look at the timestamps!). Secondly, you can forge timestamps in such a way that timelines lose credibility in court (Half of my files were created in 1900, so the files you say that were created recently are not credible as my timestamps are obviously not necessarily accurate). Thirdly, you can disable the ability for forensic timelines to be built by older versions of EnCase (Well, you guys have no timestamp evidence because you use out of date software, and the new software costs more than your budget has, and the feds don't want to take this case).

Slacker

Slacker is an anti-forensic tool that steganographically hides files in the slack space of hundreds or thousands of other files. This can be used to avoid programs such as EnCase finding files to analyze. Slacker makes use of very sophisticated steganography.

Transmorgify

Transmorgify lets you change file header data. This can be used to trick EnCase into thinking that, for example, a text file is a music file.

How It Works

(Anti)Forensics FAQ

Q. So what exactly does forensics mean in the context of computers?

A. Computer forensics is a field that involves gathering evidence from computer systems. The primary goals of computer forensics are:

1. Establish a time line of events that took place on a computer 2. Discover connections between data and the computers the data came from or originated on 3. Circumvent security systems, such as encryption 4. Recover data that people have attempted to destroy 5. Determine which computer system caused a particularly thing to happen on another computer system

Computer forensic scientists use a variety of technology, both software and hardware, to assist them with their primary goals.

Q. If I use encryption, forensics can't hurt me, right?

A. Although it is undoubtedly true that encryption is the best countermeasure against computer forensics, it is not true that simply using encryption will keep you fully protected from forensics. If you do not use full drive encryption, there is a possibility that a skilled forensic scientist can find the password to your encrypted volumes. Even if you do utilize full drive encryption, a well planned raid and a bit of luck (and compressed air) is all that is needed to retrieve your password. Also keep in mind that encryption is limited in the scope of what it protects you from. If you have an encryption container that has a time stamp saying it was last accessed one day before it was seized, you are not going to be very convincing in court when you say you have forgot the password to the container. This is where anti-forensics can come in handy, you can use anti-forensics software to forge the time stamp and make it appear as if the container has not been accessed in years.

Q. I don't stand a chance against some genius forensic scientist, do I?

A. You most certainly do! In most cases computer forensics are very easy to countermeasure. Computer forensics are used all the time to gather information from suspects computers, but in the overwhelming majority of these cases the suspects are not taking proper countermeasures. Someone who spends a few hours reading how to countermeasure computer forensics, and properly applies the countermeasures, is going to make it incredibly difficult for a forensic scientist with an eight year education to gather any evidence on them.

Q. Is there a difference between computer forensics and things such as signals intelligence, network analysis, etc? Is there a difference between anti-forensics and encryption, steganography, etc? Why is there an entire section on anti-forensics?

A. This is a rather complicated question. It seems to me that forensics is often focusing on gathering things such as meta data (data on data), building time lines and recovering data. Although network analysis and signals intelligence are likely going to technically be classified as forms of computer forensics, I think that they are considered more fields of their own. A computer forensic scientist is not likely going to be asked by his team leader to break the Tor network, he is far more likely to be asked to look at the meta data on a file that was sent over Tor and try and determine the computer it was sent from, or using side channel attacks to find your IP address with out breaking Tor. Actually breaking the Tor network is more in the realms of traditional legislation and investigation (such as passing data retention laws and then subpoenaing records from ISPs) and signals intelligence + network analysis (which is often handled most skillfully by more sophisticated agencies, such as NSA). Similarly, a standard computer forensics scientist is unlikely to perform cryptanalysis on your encrypted data, being more likely to use time lines to show the patterns in which you accessed the data, and using various techniques in an attempt to forensically reveal your password.

Encryption and steganography are anti-forensic tools in that they can greatly reduced the adversaries ability to forensically examine your machine. When I talk about anti-forensics tools in this section of the tutorial, I am usually referring to things such as timestomp (for spoofing timestamps on Windows).

I decided to include an entire section on anti-forensics simply because it has so much to do with the other security systems I talk about. I think this section of the guide should be the first one anyone reads.

Forensic Data Recovery & Countermeasures

Before I can properly explain forensic data recovery, I need to explain how digital data storage works. The first thing you should know is that computers work with binary encoding, meaning 1's and 0's. These 1's and 0's are called bits. Large combinations of bits can store all sorts of information. For example, a picture being displayed on your monitor is actually your graphics cards representation of a bit string. For example, 24 bit color (commonly found on modern monitors / graphics cards), represents pixel colors as series of 24 bits. There are over 16.7 million possible combinations of 24 bits, and thus 24 bits can be used to represent over 16.7 million different colors. The picture on your computer is a series of bits, often broken down into 24 bit series, with each 24 bit series representing a color for a single pixel on your monitor to be. When thousands of different colored pixels come together, they form the picture on the monitor. Everything on your computer works essentially the same way, a music file is a series of bits that is processed by your sound card which then tells your speakers how to move (making different sounds), a text file is a series of bits with different bit strings being used to represent different ASCII characters, etc.

Now we know the basics of how computers work. Now, you need a place to actually store the bits on your computer so that they can be processed by the CPU and other devices such as graphics and sound cards. Data for computers can be stored in multiple devices, the most common being CDs, hard drives and RAM.

CDs

A traditional writable CD stores bits by using optical properties of a thin coating of foil. The foil on the CD is broken down into billions of small sections that encircle the CD continuously. Some sections are reflective (1's) and some are not reflective (0's). This allows for bit patterns to be read from a CD when a special laser is shined over them. When you encode information to a blank CD, your CD writer is using a special frequency laser to darken a material in front of the foil to the point that light can not pass through it (making it non reflective).

Hard Drives

A hard drive uses magnetic platters to store data. The platters are broken down into billions of small sections, which are either magnetized or not magnetized. A special head piece with a very strong and precise magnet in it can go over the individual sections and change their magnetic properties. The same head piece can also determine if a particular section is magnetized or not, allowing it to read back encoded bits. Most hard drives have multiple heads and platters, as you can see from the image on the right. The head can move from the middle of the platter to the edge, and the platter itself can spin.

Recovering Data

Now that we know how data is stored, we can discuss how it can be recovered. First I will tackle common misconceptions about destroying data. I often hear people talk about smashing hard drives with hammers to destroy the data on them, I have even had people ask me if spilling water on a hard drive will destroy the data. Some have told me quite confidently that the only secure way to wipe data from a hard drive is to shoot it. Many probably assume that if you snap a CD in half the data that was stored on it is unrecoverable, or that the second power is cut to your computer the RAM is emptied.

First we will talk about damaged hard drives. Forensic scientists absolutely love the fact that people think smashing a hard drive with a hammer makes any data stored on it unrecoverable. They work with damaged hard drives, sometimes extremely damaged, all the time and all the time are able to pull great deals of information from it. First of all, notice that normally a hard drive has a protective case keeping you away from the platters.

This protective case is going to absorb a lot of the damage you try to inflict on the drive. It is also going to protect the platter from water to a good extent. But this does not particularly matter (especially the water!). Let's say you shoot a hole clear through the hard drive. You just removed a holes worth of bits, comparatively not that much. The rest of the hard drive platter is still intact and still has a ton of bits encoded to it that can be read with special forensics equipment. Even if you warp the platters, you are not removing their magnetic charges just making it harder for them to be read. A forensics team can still look at the hard drive at a microscopic level and determine if a particular area is magnetically charged or not.

Similar principles apply to CDs. Snapping a CD in half only breaks up the medium the bits are distributed on, it does not actually remove the stored data. Special forensics tools can be used to examine a CD one reflective/non reflective section at a time, and reconstruct bit sequences.

Ram similarly has its own 'weaknesses'. RAM is not instantly cleared when it loses power, rather its state decays over a seconds to a few minutes. A clever task force that wants to retrieve data from your system will bring compressed air with them when they kick your door in, and they will remove the ram from your computer and quickly flash freeze it by spraying the liquid in the can (which is extremely cold) onto the RAM chip. This drastically slows the decay of the RAMs state, and will allow them to transfer your RAM chip to a special forensics laptop, and make an image of it. This is particularly dangerous, as it can go around full drive encryption if it is properly pulled off. This is because when your computer is turned on and the encrypted drive is 'mounted', the key is stored in RAM. Thus, it is possible for either your entire key, or parts of it, to be pulled from RAM, even if you instantly power your computer off when you see LE at your door (although they will have to act fast, they have at most five minutes to flash freeze your RAM after power is cut). Even if they only get a part of your key, this will reduce your encryptions security proportionate to how much of your key they recovered. If they recovered 99% of your key, it wont be to hard for them to brute force the last 1%.

Deleting Data

Now that we understand the limitations of physically damaging data storage mediums (and cutting power to RAM), I will discuss the limitations of traditionally deleting data. With most operating systems, when you delete a file, you are not actually removing the bit patterns from the hard drive. Rather, you are telling the operating system to stop indexing the bit pattern. This means that as far as your operating system lets you see, the file is no longer there. In reality, nothing has been 'removed' from the hard drive at this point in time. As you continue to write files to your hard drive, and move files around, you will occasionally overwrite one of the areas that stored your old deleted files. This can take a very long time depending on how much you use your computer, and usually will take a good while even if you make heavy use of your hard drive (frequently adding new files to your drive).

There are certain programs that will overwrite files on your computer with bit patterns (Sometimes random, sometimes using special overwrite patterns). These programs actually change the bit pattern stored on your hard drive, and make it very difficult if not impossible to recover the old file. Something that should be noted is that although these secure erase programs can remove the bit pattern of a file, often times they will leave behind certain meta data on the file. For example, perhaps you have a file named secret.txt and you remove it with a secure erase program. The secure erase program uses the hard drive head to go over the bit pattern that makes up secret.txt and it replaces it with a non-sensitive bit pattern, making it essentially impossible for anyone (including forensics) to recover the file. Although the actual file is gone, a forensic scientist could examine certain parts of the operating system and determine that there was once a file named secret.txt, they could probably also find when the file was made, the dates it was accessed, and other such things. Make sure you use a good secure file eraser if you need to remove such information as well. I have heard from reliable sources that the only single file deletion program (it seems likely to me that only windows software was tested) that removed all traces of data to the point that FBI could not recover anything meaningful, was Heidi Eraser, which only works for Windows. It should be noted even if all traces of a file are securely erased and over written, there are still going to be OS logs that data can be pulled from (more on this later). It should also be noted that even though Heidi Eraser is considered the best, one should not neglect to use a secure eraser for non Windows OS. GPG comes with a shredder program with Linux (and windows) that will allow for secure deletion of files as well. I am not sure what to use if you are on a Mac. Another thing to note is the difference between single file erasing and full drive wipes (which are, by nature, much more secure). A nice feature of Heidi Eraser is the ability to erase all unallocated drive space routinely, and I suggest windows users configure it to do this.

In addition to single file wipe programs like Heidi Eraser and GPG Shredder, there are full drive wipe programs as well, DBAN being the most well known. A full drive wiping program allows you to completely remove and over write all traces of data on your hard drive, essentially making the hard drive as blank as if it was brand new. Many people say the only secure way to wipe data from a hard drive is to use an extremely powerful magnet, and this is in my opinion close to the truth. DBAN is essentially wiping your hard drive with an extremely strong magnet, but it uses the magnets already in your hard drives head rather than an external one (I think DBAN is even more secure than using an external magnet anyways). Some people say that you can recover data from a hard drive even after it has been over written multiple times, this is why most over write programs allow you (and even suggest you) use multi-pass algorithms, that over write the drive / file being wiped multiple times with different bit patterns. I have heard from some forensic scientists that it is actually essentially impossible to recover data that has been over written, in the context of modern hard drives. They say although it may have been possible with hard drives such as those from the 90's (and actually peter gutmann wrote a paper suggesting the ability to use magnetic microscopy to recover over written data), modern hard drives have such dense platters that it is impossible. I am inclined to believe that if it is possible to recover data from a hard drive that has been over written a single time, it would none the less be extraordinarily expensive, and is highly unlikely to happen to you. Using multiple passes is very time consuming, and it seems not necessary, but regardless I suggest you use 8 passes of random data to wipe your files (as is suggest by DBAN for high security). My reasoning behind this is simply that although I have heard good arguments for only a single wipe being adequate for secure data removal, there seem to be yet other forensic scientists who suggest it is still possible to recover data from a hard drive that has been wiped multiple times with random data. I am not personally knowledgeable enough to determine who actually makes sense, and I would prefer to spend a bit extra time to be overly safe than to take needless risks with my sensitive data removal.

Secure data removal from CDs is not as easy. Even if you toss a CD in the microwave for a few seconds it will just have a pattern burned in it, leaving many bit sequences intact. My suggestion is to not use CDs for sensitive data when possible. You can use a USB drive, which are able to be wiped securely with DBAN and can be fully encrypted with truecrypt, for storing portable sensitive files. If you must use a CD for something sensitive and eventually are required to destroy data on it (you should encrypt it by the way) you can toss it in a microwave for many seconds (this is almost certainly bad for your microwave and may cause damage to it, although it is unlikely to suddenly break it. Perhaps use an old one or something) and then scrape the foil off the plastic of the CD with an exacto knife.

In the case of RAM, there are some options as well. First of all, you should understand the limitations of encryption and make it difficult for keys to leak to the hard drive (there is a tutorial on how to do this in windows, for linux just don't make a swap space on the hard drive during installation, I have no idea for Mac sorry). If you use full hard drive encryption, understand that your system is not encrypted when it is turned on, only when it is off. You shouldn't leave computers with sensitive information on them turned on when you are not using them, or at least in the immediate area. I suggest you buy a cheap laptop or desktop computer and use it for your security needs. You don't need a powerful computer at all to carry out the steps in my tutorials, just try and get a hard drive from 2000 or later and a networking card that can crack WEP. Anyways, with this said, there are three ways you can try and protect against flash freeze attacks. The first thing you can do is wire your computer up to a sort of alarm system with wires running to your windows and doors, in such a way that if a window or door opens power is cut to the computer. If you do this novel approach (although this is common approach for people running servers hosting sensitive things), make sure the alarm system is rigged up to the same power system as the computer is. The second approach you can go for is using a case that has no open ports (including USB), and is locked shut preferably made out of some light metal. This way if you quickly turn off the system, the adversary is going to have trouble opening the case and removing the RAM before their 5 minutes runs out and the RAM state decays to worthlessness. The third, and probably most realistic option, is to use a program such as smem from the secure-delete package. This can be configured to wipe your RAM on shut down, so when you press the shut down button your ram begins to actively be over written. This will only work if you press the shut down button and have enough time for SMEM to start, it will not work if you instantly cut power (in which case normal decay rate is maintained). You should configure your computer to begin shut down near instantly upon pressing the shut down button, with out prompting you many times and slowing the process down.

Forensic Data

Note: Although I talk about image metadata and how to remove it, I do not support most things that are considered 'illegal images'. I however recognize that a wide variety of people can make use of digital images. For example, maybe you have some nice weed growing and want to show someone, and not risk them gathering information on you from the picture.

Now that we have discussed how what digital information is, how it is stored, and how to securely erase it, let's talk about what sorts of data are usually examined by forensic scientists. The first thing I will discuss here is Metadata. Metadata is quite literally data on data. There are various forms of metadata, and it can reveal a lot of information you are probably wanting to keep secret. Let's say you take a picture with a digital camera, and then load it to your computer. If you use the JPEG format, a lot of information is going to be available in your picture. Such information will likely include some or all of the following:

Camera Manufacturer Camera Model Camera Serial Number Software Used Time of Photograph Flash Status (did the flash go off when picture was taken) Thumbnail Images Other Technical Details

Now a lot of things can be done with this information. If you post a picture, even from behind an anonymity network, it isn't going to be very anonymous if the picture has the serial number of your camera attached to it with metadata. Perhaps you registered the camera for a warranty, and it will not be trivial for law enforcement to find your true identity. Even if you did not register the camera, often times the serial number can pinpoint the store you bought it from, and in some cases you may still be on CCTV surveillance cameras buying it. Even if the meta data does not contain your serial number, simply leaking the manufacturer and model of the camera can be used as circumstantial evidence against you after you are raided and the camera is discovered. Software used can leak information about your operating system in many cases, which can be used against you in several different ways (including targeting specific exploits, rather than guessing which OS you are using). Time of the photograph can help a forensic time line of activity be built and presented against you in court. Sometimes there will be a thumbnail of the photograph stored in metadata, and even if you edit the main photograph the thumbnail will stay the same. So perhaps you have a photograph that reveals information on yourself in part of it, and edit that out. With out removing metadata, you could be at risk of a forensic scientist recovering the information you removed from the picture by analyzing the metadata thumbnail. In other words, a lot of evidence can be gathered on you from a simple digital photograph.

There are a few ways you can remove metadata from photos. My favorite way is to load the photo with metadata to your computer, and then view it full size in a photo editing program. Now hit your print screen button on the keyboard, which is usually right after F12. This takes a screenshot of your desktop. Since the full sized photograph was viewable on your desktop, it takes a screen shot of the photograph. You can now cut out the photograph from the full desktop screen shot, and save it. The newly saved image will not have any metadata attached to it, and you can securely erase the old image. This trick should work for all formats of images. There are various programs that allow for the removal of metadata from photographs as well, which can come in handy if you want to sanitize a lot of your images and don't have time to take a print screen of each one. I do not know of any such programs off the top of my head, but you will find an abundance of them if you look.

Another thing you should know about images is that the blur function of your image editing program is almost certainly inadequate. Forensics can unblur things pretty easily, the algorithm to blur pixels is not cryptographically secure and they can reverse engineer the blurring. So if you take a picture of you holding a bud in your hand, don't blur your fingerprints out and think you are safe. You need to actually go over the identifying marks with a paintbrush or cut them out, at which point you should likely take a print screen of the edited image. Now cut the image out of the print screen and paste it as a new, edited image.

'Office' documents (such as spreadsheets, presentations, text documents, PDFs) are other sorts of files that can have damning metadata. Document metadata often includes:

The name of the account the document was made in Name of the company the computer that made the document is registered to The name of your computer The account names of people who previously worked on the document Document revisions Document versions Amount of time spent editing the document

As you can see, there is a variety of ways that office file metadata can be used against you. If your computer or account is named after yourself (as many people do), then you could very well be publishing your real name when you publish your sensitive documents. Perhaps the location of your place of work can be determined. 'Chains of custody' can be determined in some cases, meaning if you send a document to someone else people who find the document and analyze the metadata can determine it came from you, and also where you got it from (or if it originated at you). There are a few things you can do to minimize the damage of office file metadata. First of all, you shouldn't be using a computer or account named after you in the first place, and you shouldn't be using software that is registered to your name. Second of all, you shouldn't ever do sensitive things from a work computer that has ties to you (although cafe computers can in some cases be ok if you are not directly linked to them). Third of all, after you finish creating an office file, or after you get one before forwarding it on, you should copy and paste the information to a new document and securely erase the original. This will remove some metadata (versions, revisions, time editing, previous authors, etc), but not all of it (computer name, account name, company name, etc). There are also software tools to remove metadata that you should make use of. The program you use will depend on what type of document you are cleaning. Microsoft has a free metadata remover for microsoft office documents. I imagine it is probably fairly trustworthy, simply because they intend it to be used by lawyers and such to remove metadata that could leak confidential information. You should be able to find a free program to remove metadata from whatever sort of office document you are using, just use a search engine.

One more specific note on PDFs that certain people might find helpful; simply covering words with black boxes usually won't actually erase them. You can highlight them with the mouse even if they are under the blacked out bits, and then paste them into a word document or some such thing. This exploit was used against a US military agency that released a document with confidential information incorrectly blacked out, and lead to leaking of sensitive information. This is similar to metadata, but probably doesn't count as metadata.

Another sort of metadata on your computer is general operating system created metadata. This can include such things as timestamps (file creation data, last accessed, last modified, etc). It is probably not much of a stretch to call information stored by the OS in places such as the registry as metadata either. Such information can include a great deal of things you likely would not expect. For example, Windows XP keeps a hidden log of every website you have ever visited with internet explorer since the installation of your computer, it also keeps various other data logs including the names of programs you have launched and the dates you launched them. Check the Windows XP tutorial at the top of this page to learn how to disable to built in Windows XP metadata (forensics) tools. Timestamps alone can be very damaging against you. In addition to helping to form a timelines, they can be used to counter defenses in court. Perhaps you say you forgot the password to your Truecrypt container. This wont look very reasonable to a jury when a forensic scientist shows a timestamp showing that you accessed the file the day before your computer was seized. At the top of this main article there is also a link to information on how to forge timestamps.

Another thing to know is that a great many color printers encode microscopic yellow dots into the paper that is printed on. The yellow dots are arranged in a way that is unique to each printer. This makes it quite easy for someone to positively connect a printer to a certain printed document.

Check Printer Status; Printers (Thanks EFF)

Forensic Data Examination

There are a variety of tools used for forensic data examination. As I have already mentioned, magnetic microscopes can be used to examine information on damaged hard drives. I will focus on software based forensics in this section. The most popular forensics tool used by law enforcement is a software program called EnCase. EnCase is what you are most likely to be up against if you have your computer forensically examined; it has held up in court many times and is one of the most sophisticated forensics tools, LE would be silly to use anything else. EnCase can do a variety of forensic activity. This includes, but is not necessarily limited to;

Making bit for bit images of storage media Taking snapshots of RAM In depth analysis of metadata In depth analysis of files signature searching (searching for hash checksums of known files) Forensic timeline construction

Although EnCase is considered to be the cutting edge in software forensics, there are several tools from Metasploit (which could be considered the cutting edge in anti-forensics software) that can greatly hinder an EnCase investigation. Some such tools include; Timestomp (forge timestamps, destroy timeline abilities, can ruin older versions of EnCases ability to gather any timestamps at all), Slacker (steganographically hide files from EnCase in slack space) and Transmorgify (change the way EnCase views files, so you can do things like disguise a truecrypt partition as a movie file so that EnCase actually detects it as a movie file). Unfortunately, Metasploit focuses on Windows.