DEVTOME.COM HOSTING COSTS HAVE BEGUN TO EXCEED 115$ MONTHLY. THE ADMINISTRATION IS NO LONGER ABLE TO HANDLE THE COST WITHOUT ASSISTANCE DUE TO THE RISING COST. THIS HAS BEEN OCCURRING FOR ALMOST A YEAR, BUT WE HAVE BEEN HANDLING IT FROM OUR OWN POCKETS. HOWEVER, WITH LITERALLY NO DONATIONS FOR THE PAST 2+ YEARS IT HAS DEPLETED THE BUDGET IN SHORT ORDER WITH THE INCREASE IN ACTIVITY ON THE SITE IN THE PAST 6 MONTHS. OUR CPU USAGE HAS BECOME TOO HIGH TO REMAIN ON A REASONABLE COSTING PLAN THAT WE COULD MAINTAIN. IF YOU WOULD LIKE TO SUPPORT THE DEVTOME PROJECT AND KEEP THE SITE UP/ALIVE PLEASE DONATE (EVEN IF ITS A SATOSHI) TO OUR DEVCOIN 1M4PCuMXvpWX6LHPkBEf3LJ2z1boZv4EQa OR OUR BTC WALLET 16eqEcqfw4zHUh2znvMcmRzGVwCn7CJLxR TO ALLOW US TO AFFORD THE HOSTING.

THE DEVCOIN AND DEVTOME PROJECTS ARE BOTH VERY IMPORTANT TO THE COMMUNITY. PLEASE CONTRIBUTE TO ITS FURTHER SUCCESS FOR ANOTHER 5 OR MORE YEARS!

Digital Anti-Forensics

Forensics is the process of finding evidence. Digital forensics is therefore the process of finding evidence on digital devices, such as computers, digital cameras, MP3 players, and the like. If you care about your privacy and use Windows, it's important to know that there are many ways to undermine your efforts to protect your data that can be utilized by a determined attacker. In particular, there are ways to not only prove the existence of hidden or encrypted data, but also prove that the user knew about that data. Windows records many user activities and stores this information in the Windows Registry, allowing investigators to reconstruct what you've done with your computer.

Shellbags

Introduction

Windows stores file and folder names, as well as the time that folder was created or when the preferences were last changed in the Registry. These keys are called the shellbags. This includes every folder that you've ever opened, including files and folders that are no longer accessible to the system such as flash drives, and dismounted TrueCrypt volumes. By using these registry keys, an investigator can prove that certain files exist and demand that you produce them. The names of the files may even be descriptive enough to bypass your Fifth Amendment rights, because if the prosecution knows that there is evidence of illegal activity that is encrypted, then demanding that you produce it is no longer forcing you to incriminate yourself, as they have the information already. (See In re Boucher)

Details

The Windows shellbag keys that I know of are below.

HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags
HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\BagMRU
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags
HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU
HKEY_CURRENT_USER\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
HKEY_CURRENT_USER\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU

It seems that not all of them are used. The reason they exist is to allow Windows to remember the icon, view settings, and position of a folder. Parsing them is trivial with freely available tools such as TZWorks' Windows Shellbag Parser, available here: https://tzworks.net/prototype_page.php?proto_id=14

Countermeasures

Shellbag artifacts can be destroyed simply by wiping the registry keys, however, they will be recreated, so this must be done on a regular basis. The simplest way to do this often is to automate it. I've written a program to wipe all shellbag artifacts from the registry that can be run with Scheduled Tasks or something similar. Note that it is normal to get an error or two, as some keys are unused. The source is below.

#include <stdio.h>
#include <windows.h>

#define NUM_SBAG_KEYS 6

char *SBagKeys[NUM_SBAG_KEYS] = 
{
	"Software\\Microsoft\\Windows\\Shell\\Bags",
	"Software\\Microsoft\\Windows\\Shell\\BagMRU",
	"Software\\Microsoft\\Windows\\ShellNoRoam\\Bags",
	"Software\\Microsoft\\Windows\\ShellNoRoam\\BagMRU",
	"Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\Shell\\Bags",
	"Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\Shell\\BagMRU"
};

int main()
{
	HKEY hKey;
	int ret, i;
	
	for(i = 0; i < NUM_SBAG_KEYS; i++)
	{
		ret = RegOpenKeyExA(HKEY_CURRENT_USER, SBagKeys[i], 0, KEY_ALL_ACCESS, &hKey);
	
		if(ret != ERROR_SUCCESS)
		{
			printf("Failed to open key HKEY_CURRENT_USER\\%s. Error code %d.\n", SBagKeys[i], ret);
			continue;
		}
		
		printf("Opened key HKEY_CURRENT_USER\\%s.\n", SBagKeys[i]);
		
		ret = RegDeleteTreeA(hKey, NULL);
		
		if(ret != ERROR_SUCCESS)
		{
			printf("Error wiping subkeys and values.\n");
			continue;
		}
		
		printf("Successfully wiped subkeys and values of HKEY_CURRENT_USER\\%s.\n\n", SBagKeys[i]);
		
		RegCloseKey(hKey);
	}
	
	return(0);
}

TODO

Deleted files are not really gone; System Restore is bad for you, and so is the pagefile.

Security


QR Code
QR Code digital_anti-forensics (generated for current page)
 

Advertise with Anonymous Ads