About portable apps....

Here are a few queries about portable apps:

Let us say that portable.exe was run from the hard drive. Then it was deleted. Considering it does not drop any files in the system or create tell tale registry keys etc, is there any way to find out that portable.exe was run in the system by examining(forensics) WINDOWS OS or the RAM(after reboot)?

Of course, merely deleting portable.exe does not mean anything, it would be recoverable. Can someone suggest a tool or utility to securely delete portable.exe, so that it cannot be traced by examining the hard drive that portable.exe ever existed. There are tools to securely erase data from entire drives(by overwriting with multiple 0's and 1's a few times), but which tools or utilities would securely erase only 1 or more specified files?

What is effect regarding performance if a VM is run from an external USB drive? Which portable VM ware is recommended?

Thanks in advance.

Regards.

 

Freeware Heidi Eraser is usually recommended. Some people say that version 5.7 is the best and that later versions are bloated and should be avoided.

Personally, I use version 5.8.

 

Thanks for your reply.....there is a portable version of that too !!

What about the other queries?

 

Explorer keeps various records of it in the registry + prefetch files, icon thumbnail, mft and directory entries, system restore.....wipe all those and you're most of the way there.

 

I use R-Wipe, Sweepi (configured to completely overwrite,,complete clean-up), and the Ccleaner. I do this after I do any updates or install anything new. Then I activate Returnil, set it to "enable when I restart Windows"...and have no worries whatsoever.

I just bought a used laptop. I ran one random pass of BCwipe (as per Bill Schneier's recommendation of BCwipe), did a complete reinstall, installed all of the software that I wanted, and bookmarks, the I ran R-wipe, Sweepi (with extra configuration), Ccleaner (with extra configuration), And then activated Returnil. I enabled it to stay on. My laptop runs smooth as silk and I have absolutely no worries about anything being saved or any malware being permanently installed. I also use Sandbox and delete the Sandbox after every website that I consider personal or identifiable.....like a message board. What could be better?

 

Returnil is a great program. Do you use the version that wipes the large .dat file after reboot? Coldmoon has said several times that Returnil isn't 100% forensically secure unless this file is erased. Or, and this is a hassle, just do two reboots and the .dat file is replaced by the session in which nothing was done.

I'm with you all the way, that's a great setup. The only other thing I run with is Anti-Executable. http://www.tucows.com/preview/603034

 

Well finally in the right direction...

Let us concentrate on EXE files only. Say some exe called portable.exe was run from some drive. It did not drop files or write in registry. Then it was securely deleted using say--Eraser software.

Now explorer keeps various records of this file portable.exe as quoted, inspite of portable.exe being securely deleted from its location in HDD.

Now from which of these locations can this file portable.exe can be RECREATED to form a fully functional exe? Like getting a carbon copy of portable.exe which can be executed?

System restore would make this possible, but apart from that is it possible to recreate the exe from any other location like mfc etc?

Also does WINDOWS create any registry key by itself while executing any exe even if that exe file exclusively does not do the same?

 

In Returnil preferences, I have the option check to wipe any remnants after restart.

I haven't tried AntiExecutable but it sounds like a really good idea. I'll have to give it a whirl. Thanks for the tip.