how to prevent network logging in windows 7

anybody know how to , id appreciate it alot ,id be using a pfsense vm to have my host connect to for anything non real life

 

What is 'Network Logging"?

PD

 

Why are you using windows if you care about logging? Time to go to a Linux distro happy.

 

lols i would , hell id even move to qubes , problem is i got a crap ton of windows apps that i require for daily work that dont exist on other platforms , not to mention games compatibility , hence why i need to find out what and how much windows logs of your network activity while using pfsense vm and possibly disable it, since ill be running a pfsense vpn vm in both my decoy and hidden os, and need to uphold plausible deniability , if possible for this situation, dont feel like

weakening it only cause windows logs my net traffic from my pfsense vm , if i can find a way to disable logging for network activity i can uphold plausible deniability while using my pfsense vm setup in my hidden os , since theres no logs as of when i was connected , and hence i can say i was connected to the pfsense vpn vm at that time in my decoy os , even thou i wasnt see where im comin from , theyd have to take my word for it then , after checking my isps connectivity logs

ive been googlin but havent found nothing yet on if w7 even logs net connectivity

if not id have to let a seperate laptop or pc , let running a pfsense air vm as long as im running my hidden os vpn|tor|vpn setup



been doing some research on the exact things your isp sees



http://stackoverflow.com/questions/...visible-to-an-isp-when-using-a-vpn-connection


http://ask-leo.com/can_my_isp_know_if_i_am_using_a_vpn.html


https://www.youtube.com/watch?feature=player_embedded&v=oG0moesXmQg

this is actually a very interesting and much required topic to be solved , exspecially for all those truecrypt users out there


makes me wonder how does the isp log your net traffic , as in exactly in what order , since lets say i have a router connected to my isps modem , then from there have serveral pcs connected to it over wifi , i have a couple using my real isps ip and others using my vpn ip, wouldnt it show the connections traffic from all pcs using the vpn as one connection aka one pc connected to the vpns entry ip or what since all vpns would be the same provider hence using the same entry ip , makes you think

 

Happy, how much logging survives a restart while using Shadow Defender? I would think there would be very little if any.

 

not sure tbh thats why ive opened this thread in the first place , in order to get some ideas goin , as ive said i was thinkin bout maybe runnin a second laptop connected to airvpn on a seperate account , not sure thou if that

would be beneficial thou since i dont know for sure if my isp shows connections to my vpns login server per pc or as one connection , still trying to find an answer here tbh, thou id recon that idea wouldnt work since your isp most likely records any ip connection no matter if the same entry ip of your vpn itll just record it twice , so theyll most likely know you using 2 pcs at that time , hence no plausible deniability , so it seems that idea is wasted , btw maybe somebody with some more experience on shadow defender would be able to comment on this statement , id recon thou that there wouldnt be any , but theres a time where youd have to like run updates once in a while as well , and then youd have logs id asume tho that shouldnt matter since you generally run in freeze mode aka full virtualization


btw you can run faronics deepfreeze its like shadow defender , just an updated version you could say and not abandonware unlike shadow defender is



i mean logically thinking , lets say you have freeze state or shadow defenders equivalent running, id recon since its all virtualized , no logs, except the time where you update software wich is of high interest as mentioned in the truecrypt tutorial and will affect plausible deniability , UNTIL ive found this! it defeats the windows update server logging apparently

http://support.faronics.com/Knowled...es-handled-on-deep-freeze-protected-computers


hence plausible deniability is upheld, hell yeah !



, , any others , common, caspian the only one on wilders that has some ideas,id like to hear more creative minds on this forum , no im not going to linux, lols

ive already used encryptedbytes tutorial on locking down windows per group policy as good as possible , disabled all logging as good as possible , but we all know network logging is a seperate thing for itself, actually a real bitch to find any info on the net about it


but thats a great idea , just gotta think about the plausible aspect of it, give me some time to think about that idea ,but it already sounds very much foolproof, not sure if there would be any better solution at all matter of fact , matter of fact im gona go and do that right now, great freakin idea caspian youve outdid yourself this time my friend

 

From what I understand, that guy Tony from Shadow Defender is back. So I guess there are updated versions now.

I have never tried Deep freeze. Just SD and Returnil. But SD fans brag that shadow Defender is the only one that can defeat a TDSL rootkit (not sure if that's exactly the right name, but close).

I would think that EncryptedBytes would be the perfect guy to test shadow defender to see what kind of traces are left after reboot.....but I don't know if he is interested.

 

You know VirtualBox leaves plenty of logs happy?

 

woah , what he sez , please elaborate my friend,where who what and when , btw what caspian , really, lemme check on that , havent heard anything about tony ,and yes that would be nice if encryptedbytes could test shadow defender out and perhaps faronics deepfreeze and wich one would be better, anyhow ive just zapped encryptedbytes a pm , lets see what he has to say

 

Look in C:\Users\ You will find 2 folders, one named .VirtualBox and the other named VirtualBox VMs. Inside contain logs of all sorts, with DCHP, LAN, I.P, Name of VM .ISO and heaps more information about your system.

 

your right shadow defender is not abondanware officially wohooo!!!! thank god , hell now we gotta see if shadow defender or faronics deepfreeze is a better pick , we shall see , depending on encryptedbytes feedback, ill know wich one to go with , cant wait


http://www.shadowdefender.com/


http://www.shadowdefender.com/history.html


ok damn it so the only way would be to use shadow defender or deepfreeze , only way to uphold plausible deniability after alot of thinking yesterday and now, thanks for that computersaysno

 

If anyone gets far enough to see that stuff, it's pretty much game over. So I wouldn't worry too much about it.

 

Very true - you nailed that.

 

Just so the context is clear, we're talking about the VirtualBox folders in his Truecrypt hidden Windows installation.

What he's concerned about is logging of network activity in his decoy Windows installation. He's concerned that, if network activity is logged, there will be gaps when he's using the hidden Windows installation.

I don't believe that VirtualBox is installed in his decoy Windows installation. Right, happyyarou666? I don't see any need for it.

Edit: I forgot that he's running VBox in his decoy OS, and connecting to AirVPN with a pfSense client, for plausible deniability re AirVPN use, as observed by his ISP. So he needs Shadow Defender or whatever to prevent persistent logging in the decoy OS.

 

That's funny. No, I understood the context and agreed with the premise that if one gets to that point - it's really not worth discussing anything else. As you said, it would be 'game over.'

 

@happyyarou666

There's an old thread on the TrueCrypt Forums: "Hidden systems, plausible deniability, and the Internet" (-http://forums.truecrypt.org/viewtopic.php?p=63381).

One response mentions using a Windows BartPE CD, rather than a hidden OS, to access encrypted data. Instead, I wonder whether one could use a Windows BartPE ISO, rather than an actual Windows install, as the decoy OS. That way, the decoy OS would leave nothing behind.

But that probably wouldn't work for you, right?

 

One important thing you left out is this. When you create a Virtual Machine it creates it's own MAC address, MAC addresses can be pin pointed down to the manufacturer. VMare does this for all it's VM's, and it's how malware uses this technique to stop analysts analyzing it & so the malware know's it's being run in a VM.

I imagine VirtualBox is the same and has it's own MAC address in the name of ORACLE. Can someone confirm this?

This poses the problem to multi VM setup's, that you are reducing your anonymity by using them because the information is there telling people you use a VM with the MAC address.

 

lols WRONG im talkin decoy , hidden isnt the topic here, since hidden is well ..hidden nobody cares about it since it "dont exist" , , im obviously talkin decoy, , and ill be using virtualbox in my decoy as well just cause i can , lols and i like pfsense over my vpns connection client , yeah its all your fault mirimir , youve turned me over to the dark side aka pfsense vms lols



lmfao at computersaysno , my friend first thing first , just so we get this clear , there is no epic fluffy huge monster database that contains every random mac address your vm creates and no oracle dont have them -.-, this is a big misunderstanding some people have


btw logging is done regardless windows or virtualbox both log to hell and back after doing some more research and thinking and talking to encryptedbytes and computersaysno remark , checking eventviewer etc , so as i said , shadow defender is the only way to uphold plausible deniability without giving away reason to believe theres a hidden os, reason being outdated logs and outdated network logs , fully virtualized os per shadow defender except when updating , upholds it 100% since it only contains the logs from when you wasnt fully virtualizing per shadow defender , encryptedbytes is gona do a testrun on shadow defender once he gets some time off from work


btw mirimir bartpe good idea but using a fully virtualized environment does the same thing without the extra work or device, leaves nothing of interest to the integrity of plausible deniability behind, thou i do advice to use a seperate encrypted flash drive to store the tc bootloader to and boot from that just to make sure nothing has tampered with your plaintext tc bootloader on your hdd, thou id recon if they got that far with tampering it would be advisable to not use the pc at all, thats if youd have seperate measures setup to counteract tampering and it being noticeable, thou it could aid to realizing that your stuffs been tampered with , best to remove the entire tc bootloader from the hdd with hex editor just to make sure

 

The TC Bootloader gets removed when you install the decoy - the regular Windows Bootloader is there. If you decide to do a 'By the book" Hidden OS install, TC will then, once again, install it's Bootloader, having scanned your devices and finding the Hidden OS. If you never install TC on the decoy (a modified, unapproved by TC devs, solution), there is no TC Bootloader and you darn well better have a bootable external device with the rescue.iso on it

I would think that your ISP would just see a connection from your IP address, not specific machines. MAC's shouldn't make it past your router. Now, you bring up a good point that two identical connections to your VPN could indicate more than one computer in use, but I don't think they could ID *which* computer. I guess if all you have is one internet capable device, than that could be a problem, but including desktops, laptops, phones, and tablets - I have about 15 devices that could log on to the VPN.

But then again, if all you have is one device, you won't be logging on with the Hidden and Decoy at the same time.

For me, I use the heck out of my decoy, and I don't care who knows it. It's all browsing "Save the Children" websites and YouTube cat videos...but I use the heck out of it because you should

Just some thoughts...I have no idea what an ISP can actually see/deduce.

PD

 

yes im talkin a by the book tc install , and yes ive talked to encryptedbytes about the isp and what they see when more than one pc is connected to the same vpns server ip , he too said that it dont matter how many physical devices connect , your isp only sees one vpn ip , so thats ok , but you still got the logging problem , hence why you need to use a fully virtualization program aka shadow defender or such in order to uphold plausible deniability , and yes you should use your decoy os for everything "official" like save the children and cat videos, lmfao , hell even use it for your regular stuff like banking and ebay and paypal and real life stuff like real life email etc , "official" work documents , random certificates , makes it plausible and gives it a use

for everything anonymous and private data ,use the hidden os, everything you dont want people that have no buisness snooping around to keep out of


btw ive been lookin around and trying to figure out how to remove the tc bootloader with hex editor , couldnt find any clear tutorial on it thou, the best you get is 6 year old hints but no real explanation how to do so , so i currently got the bootloader both on my flash drive and hdd , per usb easy installer , with hirens boot cd setup to load tc rescue.iso ,kind of a botched attempt , lols , anyone got some advice on how to remove it completely and make a proper bootable usb flash drive with tc rescue iso , id like that

 

Happy, while I don't run a 'proper' Hidden OS setup (I never install TC after the clone), I would think booting to the Windows Recovery console and choosing the Command Prompt, you can run bootrec.exe /fixmbr to get the Windows Boot Loader to overwrite the TC one:

https://support.microsoft.com/kb/927392

I know you know, but make sure your rescue.iso can boot both systems before doing that!

As far as making bootable media, I use this method from bob7 on the TC Forum:

The only thing I would add, is that some devices just won't 'take' the process...so have a few USB/SD Card devices on hand...one will eventually work.

PD

 

title TRUECRYPT RESCUE DISK
find --set-root /tc.iso
map --mem /tc.iso (hd32)
map (hd0) (hd1)
map (hd1) (hd0)
map --hook
root (hd32)
chainloader (hd32)

yes this is the same line ive used for making my bootable hiren usb with tc custom entry , lols , ill try this with a fresh usb flash drive without hiren, since it itself isnt quite legal , at least not my version , lmfao


anyhow ill go and try the cmd entry asap in the windows install disk and see if it works , btw you need truecrypt installed on your decoy in order to make a proper decoy encrypted os , unless somethings changed, anyhow that and a nice bios password will be a nice way of detecting tampering thou there are much more ways its a nice start

 

In happyyarou666's setup, pfSense VMs that are bridged to the host network adapter will report their MAC addresses in getting IP addresses, but this will be from his LAN router. Those MAC addresses won't get out to his ISP.

However, this does mean that he should have logging turned off in his LAN router.

 

you mean my router , yeah i thought about that too to disable logging, ill do that as well, thats if its even possible gotta check google

update>

ok i tried doing the bootrec.exe /fixmbr , no success , afterall tc encrypted volumes show up as raw volumes in windows install dvd recovery environment ,i get a x>sources directory when running cmd, any better ideas to remove the tc bootloader

 

While unsupported, it wasn't found that an unencrypted decoy in anyway compromised anything, from what I read on the TC Forum. There was initially a thought that the partition sizes reported, had some irregularities...but this turned out to be just Windows not being granular enough to accurately report minute used/free space numbers with the Outer Volume. If you know of something else, post it, because I think it is a good method to get past cursory inspections without getting the "oh you use encryption" raised eyebrows.

I use that bob7 method and it works great just as long as you can get a 'good' external device that works. Basically, if 'MBR' shows up as an option, it should work.

PD