How could Eraser be a better anti forensic tool ?

Overwriter

Active Member

Nov 22, 2008

#1

Hello !
Well I guess I shall be the first to post in the shiny new Eraser forensic forum !

I suppose a good place to start would be (assuming no third party software is installed) what are the areas on a hard drive with a standard Windows + Office installation that could be a threat to a users privacy ?

This question is aimed at areas that Eraser would or should be focused on, this isn’t a discussion on antivirus, firewalls or even encryption. So, keeping suggestions to within the realms of Eraser, what areas on a hard drive should Eraser pay attention to in order to protect a user’s privacy ?

So far I have got…

MFT
Directory Entries
Page File
Free Space
Cluster Tips
Windows Error Logs
A.D.S. Alternate Data Streams
M.R.U. Most Recently Used
Registry Settings
Index.dat

doreen2202

Member

Dec 6, 2008

#2

Hi Overwriter its been a while although i have been monitoring how things are going.
i believe as long as eraser does exactly that erase beyound recovery especially in vista and the soon to be win7 it will be worth it,i must say it does look funky

Keep up the good work i know you will so glad the project did not die.

Give my best to Joel and the crew.

Regards

Dor

Joel

Active Member

Dec 7, 2008

#3

Haha welcome back!

I've not run forensic tests on Eraser 6, but apparently the preliminary results from what Garrett did shows that its pretty promising. I don't have the details but he didn't scream at me for screwing it up, haha. I'm actually implementing the context menu for v6, that should complete rc2.

Thanks for the well wishes

Joel

Overwriter

Active Member

Dec 13, 2008

#4

Hi doreen2202

doreen2202 said:
Hi Overwriter its been a while although i have been monitoring how things are going.

Nice to hear from you again !

I hope you are going to help us out and do some Beta testing and make some feature requests for us ! :wink:

J

jackjack

Member

Jan 18, 2009

#5

It needs Peer Review. I say this here mainly due to the fact that the other thread is locked.

Realistically anyone capable of peer review and verification is not just going to happen upon the site and help out. You're going to have to actively seek out people in any way that you can, to let people know 1) about eraser 2) the new version 3) the need for testing by those capable of doing more than running recuva etc.

To that end I'd suggest that who ever has been tasked with media relations for Eraser (looks like you volunteered your self Overwriter

) should start hitting the streets and knocking on doors.

I'd suggest talking to the guys over at CyberSpeak and Pauldotcom SecurityNow podcasts as that'd get you out to a wide audience as well as posting to (checking with Jamie first that it's ok to...) Forensic Focus Forum

Overwriter

Active Member

Jan 18, 2009

#6

It needs Peer Review.

Feeling rather smug, as I already thought of this. :roll: ..... :lol:

Realistically anyone capable of peer review and verification is not just going to happen upon the site and help out. You're going to have to actively seek out people in any way that you can, to let people know 1) about eraser 2) the new version 3) the need for testing by those capable of doing more than running recuva etc.

Way ahead of you here !! :roll: ....

To that end I'd suggest that who ever has been tasked with media relations for Eraser (looks like you volunteered your self Overwriter)

I was, shall we say, volunteered !!! Beta tester, feature requesting, forensic team gathering / organising, Eraser documentation, helping on the forums, moderating, administrating, deleting spammers… etc, etc, etc.

I'd suggest talking to the guys over at CyberSpeak and Pauldotcom SecurityNow podcasts as that'd get you out to a wide audience as well as posting to (checking with Jamie first that it's ok to...) Forensic Focus Forum

Way, way ahead of you here also !! :lol: If you have a look at one of the sites you mention you will see I have been winning hearts and minds ! Ha ha !! I will turn down the podcast I was invited to, stage fright and all that ! :lol:

Jackjack you have been away from the Eraser forums for quite some time now and I am glad to see you back. I hope you will help us out now you can see there has been some progress over the last year or so. You seem to be a long term Eraser user / fan and I truly hope you will help us. I / we / Eraser desperately needs your help, nothing too difficult just writing some instructions for V6. Simple stuff but it does require a little effort. I hope you will give something back to Eraser by helping with this.

I already have a forensic team together, an organised testing procedure document is 20% done and I have a few program beta testers some of which are phenomenal in their abilities.

If you are looking for or expecting quality or qualified forensic testers I won’t disappoint you. I have spent a long time writing to experts posting on other forums and generally nagging anyone who I think is qualified to help us. I sent and dealt with over 200 e-mails in a 3 week period just recently whilst holding down a full time job. I worked on Eraser related projects / tasks, for between 2 – 4 hours a day everyday for nearly 7 weeks. The fruits of my efforts are still to come. I have gathered a fantastic group. Some are professional forensic examiners and at least one is a professor !

I also managed to recruit a crypto expert to double check the CSPRNG !!

Eraser V6 when finished will be awesome.

Joel has done some stunning work programming, I am pleased he is sticking with us for now at least !

So jackjack now you are back I really hope you will give a little time to help Eraser.

Thanks and as I said, its nice to see you here again !! :wink:

J

jackjack

Member

Jan 19, 2009

#7

Wow, you have been very busy, and of course I made the fatal mistake of assuming little had changed so didn't bother reading, I've flogged my self appropriately.. It looks like everything is well under control.

Once I've (found a Windows CD and) had a play around I will try my best and add documentation, I had been planning on doing this on the trac wiki* prior to my disappearance all that time ago.

* This allows it to be a collaborative effort where people can add in dribs and drabs or streams

Joel

Active Member

Jan 20, 2009

#8

In theory, but after a while there are sensitive things like Eraser Root Certificates which shouldn't be editable with anyone lest people get conned into installing malicious root certs. We'll think of something later.

Joel

J

jackjack

Member

Feb 11, 2009

#9

Joel said:
In theory, but after a while there are sensitive things like Eraser Root Certificates which shouldn't be editable with anyone lest people get conned into installing malicious root certs. We'll think of something later.

Why would you store the certs in the wiki? You simply store the important stuff on another server and that gives you much more leeway with trac's wiki

Joel

Active Member

Feb 16, 2009

#10

I don't store certs on the wiki - but the links are there and I'm afraid people may edit the link to point to a malicious root cert. That's the main issue. The cert is stored on the Eraser server which is private.

Joel

Joel

Active Member

May 5, 2009

#11

Going back on topic, Overwriter asked for these:

MFT
Directory Entries
Page File
Free Space
Cluster Tips
Windows Error Logs
A.D.S. Alternate Data Streams
M.R.U. Most Recently Used
Registry Settings
Index.dat

My response:
MFT: already securely erased for NTFS ever since rc1. FAT directory entry should make a debut in rc5 (this time, it'll be completely secure and should no longer cause corruption on FAT

)
Directory Entries: basically the same thing as the MFT
Page file: can't do anything about it, unfortunately. it's one of those Windows things which are out of bounds to even drivers (AFAIK)
Free Space/Cluster tips: no comment
Error logs: what can be said? Do tell.
ADSes are already being cleaned as of rc1
MRU lists and Index.dat files should be implemented by 6.2 (as part of the open-source cleanup utility interface - start learning your programming people!) File unlocking will come soon (I promise! I've got the code semi-working on my computer already)
Registry settings: hard to erase because it isn't a file.

Joel

L

louisdaher

New Member

Aug 24, 2010

#12

I want to thank you for developing such a great tool. We are look at using it at the to help our organization meet FISMA compliance and I was wondering if that peer review which was mentioned in this thread and in the locked thread was that review ever completed?

Would any results be available?

Joel

Active Member

Aug 30, 2010

#13

Unfortunately no one has stepped forward with (formal) findings. There are informal findings on the forum, just look around. As of now, barring user error, Eraser seems to be doing its job.

J

jackjack

Member

Oct 13, 2010

#14

Joel said:
Unfortunately no one has stepped forward with (formal) findings. There are informal findings on the forum, just look around. As of now, barring user error, Eraser seems to be doing its job.

Perhaps a project admin might like to request a code review from the LiberationTech mailing list. While most reviews are for software intended to keep people anonymous, eraser I think would fall under the remit of liberation tech.

X

xigil

New Member

Sep 21, 2012

#15

This may not go along with what seems to be the current direction I am seeing on this post but a simple, though probably not, improvement would be a stand alone application that could be put on say a small usb thumb drive that would be mobile with out the need for installation. No installation means no trail. Quick on the go cleaning with no trace sounds like an awesome improvement though considering the current dependencies on the .net frame work it would probably require a whole overhaul of the current set up. But then again I am not a big fan of netflix using silver-light due to netflix doesn't work with Ubuntu. Cross platforming would be a nice perk when I think about it but not expected. Functional tools like this for windows is just as helpful when managing private data in the wild.

So that is my two cents thrown in on this topic how it could be better. I have been using this app for about a year so I don't know all its past but I know that I am security conscious on some stuff and when I need it this would be nice to have on a thumb drive with my other mobile security bundle. :ugeek:

S

Sambro70

New Member

Nov 17, 2012

#16

Hello to everyone, I'm new here.

I have come to feel paranoid lately and love the fact the people and groups like you and this one are working on cutting edge solutions to help "relieve" my paranoia.

I Use several programs with my vista and windows 8 to try to destroy "more like incinerate" any trances left on my hard drive from any and all activities on the internet. I have sandboxie and I have added the "temp" to the sandbox location so as to avoid the restore function from copying my page file with traces of my browsing. I have also followed the directions on the internet to encrypt my page file so when I restart windows it will delete the page file and the remaining traces will be deleted but unrecoverable because they were encrypted.

I use ccleaner with the enhancer added to delete the traces on my hard drive. I use eraser 6 to delete the sandbox on sanboxie and have it overwrite the files 3 times. Then I run Recuva (same people as Ccleaner) and I run an indepth scan to see if there any files left over the can be viewed. In most cases I get files that can be seen and recovered as thumbs with images from my browsing. This means that after all this, there are still files that have not been totally destroyed and made unrecoverable. I also set erases to do the delete with 3 pases, and I restart my computer to clean out the page file.

So, what am I doing wrong?

Perhaps you could include some code to encrypt the page file so when we restart windows it's encrypted. Also you may want to expand your deletion process to find those files and image thumbs, gifs, png, etc files that have been sandboxed, then deleted with eraser (DOD3) then cleaned with ccleaner and finally found with Recuva.

I have found that Recuva is a great test for how to find out if a foresensic program will find any traces of browsing in your hard drive. Run Recuva in deep scan mode and let it go all the way to the end (in search box I enter *.* so it will find all files)

Thanks for the great work.

PS. I am finding it a little hard to enter the file names in the schedule of eraser so it will delete the contents. Maybe it would be great if you could add a list of the common places that should be processed by eraser so it is not left up to me to find and add the common locations. Also if possible, maybe include a button somewhere to automatically attach eraser to the more common programs like sandboxie and others.

Thanks.

Joel

Active Member

May 8, 2013

#17

xigil said:
No installation means no trail. Quick on the go cleaning with no trace sounds like an awesome improvement though considering the current dependencies on the .net frame work it would probably require a whole overhaul of the current set up.

Not true: your computer has caches containing what programs were run, even if not installed.

And you can't erase that. Unless someone implements raw registry reading/writing to the hive files.

Joel

Active Member

May 8, 2013

#18

Sambro70 said:
I use ccleaner with the enhancer added to delete the traces on my hard drive. I use eraser 6 to delete the sandbox on sanboxie and have it overwrite the files 3 times. Then I run Recuva (same people as Ccleaner) and I run an indepth scan to see if there any files left over the can be viewed. In most cases I get files that can be seen and recovered as thumbs with images from my browsing. This means that after all this, there are still files that have not been totally destroyed and made unrecoverable. I also set erases to do the delete with 3 pases, and I restart my computer to clean out the page file.

These usually mean that you've got thumbnail caches somewhere that's not deleted. Programs like stowing away thumbnail copies. There are common culprits, but getting rid of all of them will only get more and more difficult.

Sambro70 said:
Perhaps you could include some code to encrypt the page file so when we restart windows it's encrypted.

Like I've said in another thread,this is a Windows system function, and there are ways of properly doing it. Eraser should not be flipping the switch for you, and providing you with a potential false sense of security.

Sambro70 said:
Also you may want to expand your deletion process to find those files and image thumbs, gifs, png, etc files that have been sandboxed, then deleted with eraser (DOD3) then cleaned with ccleaner and finally found with Recuva.

That's the point of having a scheduler with Eraser.

Sambro70 said:
PS. I am finding it a little hard to enter the file names in the schedule of eraser so it will delete the contents. Maybe it would be great if you could add a list of the common places that should be processed by eraser so it is not left up to me to find and add the common locations. Also if possible, maybe include a button somewhere to automatically attach eraser to the more common programs like sandboxie and others.

Sounds like what CCleaner does, IMO. Though I'm thinking of having an open-source equivalent.