About portable apps....

Discussion in 'privacy technology' started by Sumedik, Mar 31, 2010.

Thread Status:
Not open for further replies.
  1. Sumedik

    Sumedik Registered Member

    Joined:
    Mar 6, 2010
    Posts:
    21
    Here are a few queries about portable apps:

    Let us say that portable.exe was run from the hard drive. Then it was deleted. Considering it does not drop any files in the system or create tell tale registry keys etc, is there any way to find out that portable.exe was run in the system by examining(forensics) WINDOWS OS or the RAM(after reboot)?

    Of course, merely deleting portable.exe does not mean anything, it would be recoverable. Can someone suggest a tool or utility to securely delete portable.exe, so that it cannot be traced by examining the hard drive that portable.exe ever existed. There are tools to securely erase data from entire drives(by overwriting with multiple 0's and 1's a few times), but which tools or utilities would securely erase only 1 or more specified files?

    What is effect regarding performance if a VM is run from an external USB drive? Which portable VM ware is recommended?

    Thanks in advance.

    Regards.
     
  2. SafetyFirst

    SafetyFirst Registered Member

    Joined:
    Jan 26, 2007
    Posts:
    462
    Freeware Heidi Eraser is usually recommended. Some people say that version 5.7 is the best and that later versions are bloated and should be avoided.

    Personally, I use version 5.8.
     
  3. Sumedik

    Sumedik Registered Member

    Joined:
    Mar 6, 2010
    Posts:
    21
    Thanks for your reply.....there is a portable version of that too !!

    What about the other queries?
     
  4. stackz

    stackz Registered Member

    Joined:
    Dec 27, 2007
    Posts:
    619
    Location:
    Sydney Australia
    Explorer keeps various records of it in the registry + prefetch files, icon thumbnail, mft and directory entries, system restore.....wipe all those and you're most of the way there.
     
  5. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    I use R-Wipe, Sweepi (configured to completely overwrite,,complete clean-up), and the Ccleaner. I do this after I do any updates or install anything new. Then I activate Returnil, set it to "enable when I restart Windows"...and have no worries whatsoever.

    I just bought a used laptop. I ran one random pass of BCwipe (as per Bill Schneier's recommendation of BCwipe), did a complete reinstall, installed all of the software that I wanted, and bookmarks, the I ran R-wipe, Sweepi (with extra configuration), Ccleaner (with extra configuration), And then activated Returnil. I enabled it to stay on. My laptop runs smooth as silk and I have absolutely no worries about anything being saved or any malware being permanently installed. I also use Sandbox and delete the Sandbox after every website that I consider personal or identifiable.....like a message board. What could be better?
     
  6. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    Returnil is a great program. Do you use the version that wipes the large .dat file after reboot? Coldmoon has said several times that Returnil isn't 100% forensically secure unless this file is erased. Or, and this is a hassle, just do two reboots and the .dat file is replaced by the session in which nothing was done.

    I'm with you all the way, that's a great setup. The only other thing I run with is Anti-Executable. http://www.tucows.com/preview/603034
     
  7. Sumedik

    Sumedik Registered Member

    Joined:
    Mar 6, 2010
    Posts:
    21
    Well finally in the right direction...

    Let us concentrate on EXE files only. Say some exe called portable.exe was run from some drive. It did not drop files or write in registry. Then it was securely deleted using say--Eraser software.

    Now explorer keeps various records of this file portable.exe as quoted, inspite of portable.exe being securely deleted from its location in HDD.

    Now from which of these locations can this file portable.exe can be RECREATED to form a fully functional exe? Like getting a carbon copy of portable.exe which can be executed?

    System restore would make this possible, but apart from that is it possible to recreate the exe from any other location like mfc etc?

    Also does WINDOWS create any registry key by itself while executing any exe even if that exe file exclusively does not do the same?
     
  8. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    In Returnil preferences, I have the option check to wipe any remnants after restart.

    I haven't tried AntiExecutable but it sounds like a really good idea. I'll have to give it a whirl. Thanks for the tip.
     
Loading...
Thread Status:
Not open for further replies.