LastActivityView reveals too much.

Discussion in 'privacy problems' started by zmechys, Feb 14, 2013.

  1. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Paranoia aside, that's probably the intent. It's for debugging. There's probably a way to collect all of that information to submit in a an error report :) Let's hope that it's not done automatically ;)

    Of course. All the better to "help" you ;)

    No.

    Indeed. But that model seems to be changing. The industry is apparently moving toward a lease model, for content, software and hardware. You won't actually own anything. Any of it can be altered or removed without your consent. And trying to change anything will void your contract, and destroy it.
     
  2. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,635
    Location:
    European Union
    I agree that this is what the industry wants, but they will not get it so easily. At least some people (including me) are determined to resist this trend as long as possible. :)
     
  3. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,635
    Location:
    European Union
    An answer can be found here:
    http://computer-forensics.sans.org/blog/2011/07/05/shellbags

    And for people who don't want to read the whole article, here is the short explanation:
     
  4. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Yeah, me too. I'm betting that, for a while at least, we can emulate whatever's required in VBox or whatever. There are many who feel as we do, and some of us can program :)
     
  5. Syobon

    Syobon Registered Member

    Joined:
    Dec 27, 2009
    Posts:
    469
    All operating system logs everything you do somewhere, in linux you have a nice logs folders, but not everything follows standard so each program log its history somewhere.
    The best protection you get is an encrypted hard driver and locking your computer when you far from it, denying unauthorized access to its content.
     
  6. zmechys

    zmechys Registered Member

    Joined:
    Dec 29, 2012
    Posts:
    1,155
    Location:
    usa
    From your article:

    "Thanks to the wonders of Windows Registry last write timestamps, we can also identify when that folder was first visited or last updated"
    ---------------------------------------------------------------------------
    Thank you Nir Sofer for ShellBagsView.

    Size of shellbagsview.zip - 42.2 KB.
    Time to download and setup - 1.5 sec.
    Information - priceless.
    ---------------------------------------------------------------------------

    My questions.

    1.What registry key could I modify in order to stop or slow down the on-going wondrous "spy-log"?

    2.What if I start deleting those registry entries:
    Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags ?

    3. Why do I have ShellNoRoam (Vista) on my Windows 8 computer?

    4. ShellBagsView shows ....\Bags\406, but my registry only goes up to number 56?
     
  7. The_PrivaZer_Team

    The_PrivaZer_Team Developer

    Joined:
    Feb 14, 2013
    Posts:
    1,077
    Location:
    France
    To view \Bags\406, right-click in ShellBagListView on \Bags\406 and choose "Open Slot Key in regedit".
     
  8. The_PrivaZer_Team

    The_PrivaZer_Team Developer

    Joined:
    Feb 14, 2013
    Posts:
    1,077
    Location:
    France
    You can not "slow-down" the creation of "Shell\Bags".

    Each time you open a folder, it stores its "View Settings"
    - in Shell\Bags and Shell\BagMRU
    - in ShellNoRoam\Bags and ShellNoRoam\BagMRU (Vista and above)
     
  9. zmechys

    zmechys Registered Member

    Joined:
    Dec 29, 2012
    Posts:
    1,155
    Location:
    usa
    I don't have Bags\406. It stops at Folder/Bag 57.
    57_Bag.PNG
     
  10. zmechys

    zmechys Registered Member

    Joined:
    Dec 29, 2012
    Posts:
    1,155
    Location:
    usa
    OK.

    How can I delete the Bag logs that are completely irrelevant to me and to my precious Windows 8?
     
  11. Syobon

    Syobon Registered Member

    Joined:
    Dec 27, 2009
    Posts:
    469
    CCEnhancer-3.7 cleans Shell Bags and many other things on windows.
     
  12. zmechys

    zmechys Registered Member

    Joined:
    Dec 29, 2012
    Posts:
    1,155
    Location:
    usa
    Thank you.
    What about Winapp2?
    http://winapp2.com/
     
  13. The_PrivaZer_Team

    The_PrivaZer_Team Developer

    Joined:
    Feb 14, 2013
    Posts:
    1,077
    Location:
    France
    It is not recommended to remove all keys under Shell\Bags because it removes all your "Folder View settings"
     
  14. Syobon

    Syobon Registered Member

    Joined:
    Dec 27, 2009
    Posts:
    469
    it uses exactly the Winapp2.
     
  15. zmechys

    zmechys Registered Member

    Joined:
    Dec 29, 2012
    Posts:
    1,155
    Location:
    usa
    CCEnhancer-3.7 removed all ShellNoRoam(Vista) Bags but left Shell Bags.

    I've re-started twice and haven't noticed any changes in my "Folder View" Settings yet.

    It's a step in the right direction.
     
  16. The_PrivaZer_Team

    The_PrivaZer_Team Developer

    Joined:
    Feb 14, 2013
    Posts:
    1,077
    Location:
    France
    Shell Bags may contain information as well and can be used to recover your activities. Maybe this link could help you to figure out what can be recovered :

    http://www.williballenthin.com/forensics/shellbags/

    But, as said, removing all Shell Bags or Shell BagMru will remove your "Folder View" Settings :
    for instance, if you like to see certain folders with "detail view" in Windows Explorer, your preferences will be erased.
     
  17. aklies14

    aklies14 Registered Member

    Joined:
    Jun 22, 2012
    Posts:
    29
    Location:
    America
    I think this should be expected,either you live with that and let windows log all your folders location with view settings or you delete them from time to time and then live with the default view setting.choice is yours.:)

    CCEnhancer takes care of shellbags but resets my view settings.I am fine with that.

    edit:I can understand Windows saving view setting of my folders so that it can display them in the way I expect it but one thing I don't understand why Windows has to log view setting and location for folders where I'm using default setting and not my own.
     
  18. zmechys

    zmechys Registered Member

    Joined:
    Dec 29, 2012
    Posts:
    1,155
    Location:
    usa
    The article "Windows Shellbag Forensics" had a reference about "Registry Keys" http://support.microsoft.com/kb/813711
    I have two questions.

    Microsoft publication says:

    Reset the registry settings for folders
    Delete the following registry subkeys:
    HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\Bags
    HKEY_CURRENT_USER\Software\Microsoft\Windows\Shell\BagMRU
    HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\Bags
    HKEY_CURRENT_USER\Software\Microsoft\Windows\ShellNoRoam\BagMRU
    HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU
    HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags


    1 .Does it mean that I can delete those Registry Keys?

    2 .What is the meaning of 5000 ? What happens if I set the value to 100?
    "Create and then set the BagMRU Size registry value to 5000 in the registry subkeys"

    From your article:
    "These keys are useful to a forensic investigator. Shellbags persist information for directories even after the directory is removed, which means that they can be used to enumerate past mounted volumes, deleted files, and user actions."

    IMHO, it clearly states that those BAGS have nothing to do with the stability of my computer/registry, recovery, restore, etc... It clearly delivers the one and only message: These keys are useful to a forensic investigator

    Mirimir, I don't get your answer.
     
  19. aklies14

    aklies14 Registered Member

    Joined:
    Jun 22, 2012
    Posts:
    29
    Location:
    America
    What about windows,how it will keep track of view settings of all folders?
    I know they could have deleted entries for folders which get deleted but they didn't do it that way.They should have but didnt.
     
  20. Nebulus

    Nebulus Registered Member

    Joined:
    Jan 20, 2007
    Posts:
    1,635
    Location:
    European Union
    Every bit of data on your computer is useful to a forensic investigator. The registry keys in question make the life of such an investigator easier, but that doesn't mean that if they aren't there then any investigation is foiled.

    Bottom line is: everything you do on your computer leaves a trace on your HDD. You can use a LiveCD to limit the traces left by the OS, but you will still need to store some data on a storage medium. You can encrypt everything, but that is no guarantee that you won't be forced to reveal your password sometime in the future. There is no such thing as perfect security/privacy/anonymity solution.
     
  21. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,328
    Location:
    Here, There and Everywhere
    I thawed my laptop from Deep Freeze and got all the shell bag info removed (and there was a lot). I then did my normal routine before entering back into a frozen state, but this time I set my folder views and settings before freezing.

    I am surprised we went how many years (?) before LastActivityView showed us what all was there. Now, all the cleaners are adding it to the clean-up process. I still go back to something I mentioned earlier - how much is there that we don't know that we don't know.

    I still feel my fully encrypted laptop and other measures offer me a good system for privacy and security.

    Oh! Thanks to the PrivaZer team for coming to be a part of the Wilders forum. That shows me something. Great work you're doing!
     
  22. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    9,252
    Although I'm generally rather suspicious, I was somewhat jokingly cutting Microsoft some slack about their reasons for tracking everything. Is Windows really designed to support forensic investigators? Or are they just playing to frustrated admins and support staff? It's hard to say, I think.
     
  23. Syobon

    Syobon Registered Member

    Joined:
    Dec 27, 2009
    Posts:
    469
    not really, this is partial information that make software uses for something larger.
     
  24. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,171
    Or did this also help Microsoft's own data collection efforts? Or are some Microsoft developers simply not very good? Or are many Microsoft developers not encouraged/allowed to put in the extra effort that distinguishes high quality software? To some degree, it is probably to Microsoft's economic advantage if it leaves various aspects of its software lacking. Others, out of frustration and/or a desire to profit, will develop software to address the shortcomings and many of them will purchase development tools/subscriptions from Microsoft.
     
  25. noone_particular

    noone_particular Registered Member

    Joined:
    Aug 8, 2008
    Posts:
    3,798
    The ways Windows stores usage data are known. It's just that they're not widely discussed. We've had the tools to investigate this all along. I mentioned several of them earlier. Most of the time they get used against spyware/malware or with apps that exhibit questionable behaviors and have not used them to evaluate the OS itself the same way. When they do get used on the OS, and registry keys like ShellBags are found to contain usage tracks, the suspicion is deflected by the fact that they keys also serve other "legitimate" purposes. In this instance, it's storing the users viewing preferences. Win 98 stores the same user viewing preferences, but doesn't need ShellBags to do it. That entire part of the registry (Shell and ShellNoRoam) doesn't exist on 98.

    Slightly OT but related. A lot of people speculate as to whether Windows has a hidden back door. IMO, it has several backdoors, hiding in plain sight, enabled by default. When you think about it with the average user, how much more would they need than ShellBags, the remote registry service, and UPnP?

    Windows has always stored usage data. Each version (and service pack upgrade) has added to that storage. Since most of this babysitting serves more than one purpose, people overlook it or accept it as necessary to other "features". For the most part, it's not obvious or even visible to the average user. Unlike user apps, this "feature creep" has been very gradual, with several years passing between operating systems. Each new OS or service pack adds a bit more usage track storage, makes those tracks more difficult to view, or removes access to them entirely. When you compareWin 2K to XP, XP to Vista or Vista to Win 7, the changes don't look that big. It's when you compare usage tracks on 2K to Win 7 (or Win 98 to XP) that you see just how far its gone. It's easy to individually explain away these little changes when you look at just one change or limit your comparison to just the previous OS. When you start looking at all these changes together over a longer time period, it's hard to come to any other conclusion. The Windows OS is designed to spy/snitch on its users. It will continue to get worse. A large percentage of the usage tracks storage is redundant with one part of it fairly obvious and the other part hidden and/or difficult to access. If a user cleans one but not the other, it becomes obvious that the user is deleting usage tracks. Our present laws allow them to call that destroying evidence if they choose to do so. An example would be browser history, the Temp internet folders, and index.dat files. Finding all the stored user data on the new versions of Windows is a challenge even for most geeks. The average user has no chance of finding it all. This is the primary reason I won't "upgrade" past XP and still use 98 as my primary OS.

    A bit earlier, encryption was mentioned as a solution/mitigating factor. I question it's value here for several reasons.
    1, Encrypting an OS only protects it when it's not in use. When that OS is running, it's accessible.
    2, The terms under which you can be compelled to turn over a password or be forced to decrypt your system are steadily getting broader. In some countries, refusing to do so is a crime. In this country, saying your a terrorist suspect (with no evidence at all) is sufficient.

    Don't assume that you've done nothing wrong. One only needs to look at current events not shown on mainstream news to see the trend. Anything that doesn't give big money all that they think they're entitled to is becoming a crime. If it involves a computer, that makes it a computer crime and puts it under the scope of the FBI or worse. Customs officers check for pirated material, effectively making them an enforcement arm for the whims of big money.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.