I would also look into what happens to the data on a disk file after you revert a vm back to a previous state and what that looks like when written to the physical disk.
On 6/30/09, Adrian Crenshaw <[email protected]> wrote: > Hi all, > I'm planing another class for the local ISSA (and hope to get some > Infragard and OWASP folks there). The topic this time is Anti-forensics. I > plan to cover a few categories of tools: > > 0. Show simple tools to see what's been going on > Places files are stored > effect of hibernate and page file > defrag issues (I assume this can leave remnants behind in slack space of > files that defrag moved, so if ta defrag happened just before you wipe a > file you may not really get all of the data) > Filecarving with Photorec http://www.cgsecurity.org/wiki/PhotoRec > > 1. Selective track covering tools > CCleaner http://www.ccleaner.com/ > CleanAfterMe http://nirsoft.net/utils/clean_after_me.html > > 2. Delete f***ing everything!!!/Nuke it from orbit, it's the only way to be > sure > Secure Erase http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml (Scott > Moulton told me this uses built in ATA commands to wipe even bad sectors) > DBAN http://www.dban.org/ > > 3. Encryption > Truecrypt > > 4. System configs/don't leave traks in the first place > Wipe swap file on shutdown > Browsers and incognito mode > Portable apps/VMs from encrypted volumes (does anyone know how much of the > Host OS's swap is used by VMWare and the like?) > > > Any more ideas? Any better "Selective track covering tools" then the ones I > mentioned in section 1? > > Thanks, > Adrian > -- Sent from my mobile device - Chris Merkel _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
