Rmus said:-{ Quote: "As arran points out, a program such as Deep Freeze solves the problem for anyone who doesn't want these records kept. Anything written to C:\ while DF is frozen will be discarded on reboot. That takes care of the Index.dat stuff and anything in the Registry." }-
I have some questions:
- what DeepFreeze-version I have to use if I want any forensic expert wouldn't recover any user actions (e.g. opened crypted by TrueCrypt folders and files) on Windows systems? Will any DF files will be keeped in real Windows systems? Are there any "portable" DF version that could be launched directly from-USB flash with NO TRACES in real Windows systems? Do I have to erase by heidi-eraser free space after DF use?
- how to disable ALL "MRUs" in Windows (e.g. HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices etc)? Do forensic expert could recover "pagefile.sys" file if it clears on each Windows shutdown?
- what DBAN (http://www.dban.org) I have to choose to wipe all discs if I have Intel Core 2 Duo (Dell 1520)?
Thanks in advance.

NO EXPERTS HERE???

NO EXPES HERE:blink:

-{ Quote: "Rmus said:
I have some questions:
- what DeepFreeze-version I have to use if I want any forensic expert wouldn't recover any user actions (e.g. opened crypted by TrueCrypt folders and files) on Windows systems? Will any DF files will be keeped in real Windows systems? Are there any "portable" DF version that could be launched directly from-USB flash with NO TRACES in real Windows systems? Do I have to erase by heidi-eraser free space after DF use?
- how to disable ALL "MRUs" in Windows (e.g. HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices etc)? Do forensic expert could recover "pagefile.sys" file if it clears on each Windows shutdown?
- what DBAN (http://www.dban.org) I have to choose to wipe all discs if I have Intel Core 2 Duo (Dell 1520)?
Thanks in advance." }-

I'm no expert, but I've been using virtualizers for years. DeepFreeze won't write anything on your active partition, but will create a virtual volume which will be DELETED on the next reboot. I believe it would be easy for an expert to recover the virtual volume as long as it is not too old. If you want to make sure that everything is really gone, you should ERASE the free space.

About the other questions, you can e-mail directly DF, they usually answer any queries quickly.

So I could use Shadow Defender in a similar manner, to access a truecrypt volume for example, and then reboot and wipe the free space with eraser? And there will be no traces left?

-{ Quote: "So I could use Shadow Defender in a similar manner, to access a truecrypt volume for example, and then reboot and wipe the free space with eraser? And there will be no traces left?" }-
I think some traces will be in "pagefile.sys",ntuser.dat,in any temporary files SD used.

I wondered about this too. What if a person is using DeepFreeze or Returnil and downloads a lot of music and movies and then transfers them? Evidently it doesn't keep records or make permanent registry changes. But isn't all of that stuff still on the hard drive? Just as if you had downloaded it and then deleted it?

This is why its better to also have full disk encryption as well as Returnil or deep freeze.

For my downloads, I don't download them to my main hard drive and then transfer them afterwards. All my downloads get downloaded Directly into my True Crypt container.