is there a way to erase all truecrypt traces?

Hi
i use truecrypt portable in several machine

is there a way to erase all the traces left by truecrypt?

most machine work under w7 64bit and w8.1 64bit

for example i found that it left data in

Code:

HKEY_LOCAL_MACHINE\SYSTEM\MountedDevices

thanks

 

That is a tall order. Any OS is going to leave traces of much activity performed when it is used, and not just TrueCrypt stuff. Things like file names, times, file system journals, logs etc.. What exactly do you do with TC portable? If you only need to copy files to/from computers you could likely accomplish that easily with a live CD containing TC in the build. E.g. you would bring up linux live containing TC and then open your container using it. From there you can mount the partition/disk on the windows machine (encryption out of the way or you decrypt) and copy any files you want to over to your TC encrypted portable media device. Since windows isn't running the activity won't get traced as it would using an active windows OS. Then close out TC and when you shut down the Linux live media all traces on the machine disappear if done correctly.

However; in general for simple use the answer is NO. Once you use TC portable the exe is installed (must be Admin user employed at least once). That alone leaves a small trace. As far as windows tracks when you do anything at all, just don't get me started because it isn't pretty. And that is why WDE is the only true answer and anyone saying otherwise needs to spend some time using forensic software tools. Just once would convince you.

 

Use Shadow Defender or a similar virtualizer.

 

Restore from a pre-TrueCrypt disk image or re-install Windows after zeroing out the drive.

It's too late for vitrualization, but if you choose to do so make sure the changes are written in the RAM unless it shreds them on exit.

 

hi
i use the portable version , and an usb3 external portable hard drive

 

Agree with Palancar on his views.

I found while its nice to run portable software, the issue is your always going to leave behind some traces of it in windows and windows logs, and just about everything you do in windows leaves evidence in logs which are scattered everywhere.

An adversary could easily search for tc exe and dlls and files and locate it or check logs, same applies for any portable app!

I am still debating this but I feel it maybe and I could be wrong with this....
but to install the apps properly and allow ccleaner+cc-enhancer and privazer and other disk cleaning apps to "see" and locate the installed app so it can better clean the traces of the program. If you had a portable app the cleaning apps may not see it or see the traces left correctly. Manually adding the program to cleaning apps my gut tells me it does not work as well as it would if it was fully installed.

Either way the above is a theory, its still best to do FDE (full disk encryption)
tc has the hidden os, and diskcrypt also can do FDE. If your entire windows is encrypted your way safer and secure from adversaries.