Digital Anti-Forensics

Forensics is the process of finding evidence. Digital forensics is therefore the process of finding evidence on digital devices, such as computers, digital cameras, MP3 players, and the like. If you care about your privacy and use Windows, it's important to know that there are many ways to undermine your efforts to protect your data that can be utilized by a determined attacker. In particular, there are ways to not only prove the existence of hidden or encrypted data, but also prove that the user knew about that data. Windows records many user activities and stores this information in the Windows Registry, allowing investigators to reconstruct what you've done with your computer.



Windows stores file and folder names, as well as the time that folder was created or when the preferences were last changed in the Registry. These keys are called the shellbags. This includes every folder that you've ever opened, including files and folders that are no longer accessible to the system such as flash drives, and dismounted TrueCrypt volumes. By using these registry keys, an investigator can prove that certain files exist and demand that you produce them. The names of the files may even be descriptive enough to bypass your Fifth Amendment rights, because if the prosecution knows that there is evidence of illegal activity that is encrypted, then demanding that you produce it is no longer forcing you to incriminate yourself, as they have the information already. (See In re Boucher)


The Windows shellbag keys that I know of are below.

HKEY_CURRENT_USER\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags
HKEY_CURRENT_USER\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU

It seems that not all of them are used. The reason they exist is to allow Windows to remember the icon, view settings, and position of a folder. Parsing them is trivial with freely available tools such as TZWorks' Windows Shellbag Parser, available here:


Shellbag artifacts can be destroyed simply by wiping the registry keys, however, they will be recreated, so this must be done on a regular basis. The simplest way to do this often is to automate it. I've written a program to wipe all shellbag artifacts from the registry that can be run with Scheduled Tasks or something similar. Note that it is normal to get an error or two, as some keys are unused. The source is below.

#include <stdio.h>
#include <windows.h>

#define NUM_SBAG_KEYS 6

char *SBagKeys[NUM_SBAG_KEYS] = 
	"Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\Shell\\Bags",
	"Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\Shell\\BagMRU"

int main()
	HKEY hKey;
	int ret, i;
	for(i = 0; i < NUM_SBAG_KEYS; i++)
		ret = RegOpenKeyExA(HKEY_CURRENT_USER, SBagKeys[i], 0, KEY_ALL_ACCESS, &hKey);
		if(ret != ERROR_SUCCESS)
			printf("Failed to open key HKEY_CURRENT_USER\\%s. Error code %d.\n", SBagKeys[i], ret);
		printf("Opened key HKEY_CURRENT_USER\\%s.\n", SBagKeys[i]);
		ret = RegDeleteTreeA(hKey, NULL);
		if(ret != ERROR_SUCCESS)
			printf("Error wiping subkeys and values.\n");
		printf("Successfully wiped subkeys and values of HKEY_CURRENT_USER\\%s.\n\n", SBagKeys[i]);


Deleted files are not really gone; System Restore is bad for you, and so is the pagefile.


QR Code
QR Code digital_anti-forensics (generated for current page)