how to prevent network logging in windows 7

id hardly think id get past the "oh you use encryption" with my current setup since my other hdds are tc fde encrypted as well with hidden volume respectively , lols, btw currently having problems with removing said tc bootloader as per previous post


update: so ive checked if i could disable logging on my router but i didnt find anything , how would i go about doing so mirimir, cause only way id imagine is install pfsense on my router , wich isnt possible i recon, i do run custom firmware currently wich is based on linux thou

 

What router do you use? Maybe it doesn't log at all. It seems odd that, if it does log, you can't turn off logging.

Edit: Oh, "custom firmware". Do you run DD-WRT?

 

well ill send you a pm with the info , not something i like posting about in public , wouldnt want somebody getting stupid ideas releasing fake custom firmwares with backdoors now would we

no i dont run ddwrt since my router doesnt support it, check your pm box, honestly thou it dont show nothing much at all in the logs except the usual

 

Just a little paranoid?

OK, I PMed you.

 

just a little , i guess you could say so , lols

 

Hi Happy, figured I’d bring our conversation back to this thread.

To clarify on your most recent PM. As long as you are routing your LAN together, your ISP will only see your ISP account's public IP address with SRC/DST ports communicating to your VPN provider’s server IP address(es) and its SRC/DST ports. The packet bodies will be encrypted. As I stated in our initial conversation, assumptions and analysis on the network traffic could be inferred depending on the services allowed/blocked by your VPN, but nothing can be tied back directly to the end user without your VPN aiding in any investigation. Unless you reside inside an oppressive small nation state, ISPs do not log full PCAP data, only the bare minimum to meet respective data retention laws if any exist for your country. Think of a cell phone log but for your computer.

To address your second question, determining a hidden OS is extremely difficult. However the folly of the end user is usually how it would be detected. I have never detected a hidden OS in my career; however I have detected the presence of hidden containers in the past due to the mistakes of the individual users themselves using the hidden volumes incorrectly.

To address your third question, logging should not be your enemy on the decoy OS, both physical and virtual. As long as you use your decoy alongside your hidden there really shouldn’t be a need for a solution such as shadow defender. I’ve read the new posts on this discussion thread since your initial enquiry and I do feel in my opinion you are over complicating your setup for very little gains.

The main lynchpin in your setup worth checking would be your routing logs if any.

I would not worry about removing the Truecrypt headers, as Truecrypt keeps backups anyhow at the end of its volumes. Not to mention most forensic specialists know the differences between MBRs/normal systems and what they should look like at the bit level, verse encrypted bits.

Bottom line, if your computer is seized, you can count on it being determined your computer is encrypted. Depending on the laws in the country you reside in, that is when the decoy will give you the plausible deniability you seek if you had to give up your password.

Which ties into my final comment yesterday:

"I would not advise running anything in a decoy that could implicate a hidden OS."

Hope this helps clear up some confusion

-EB

 

I have always advocated that on non-sensitive Truecrypt volumes that you use the decoy ONLY to add a text note saying the note is there only to prove there is no obfuscation. The reason? Because every forensics expert knows all about the inner/outer containers and decoy OS and everything else. It's silly to think one can believe that will work. However, if there's nothing sensitive and the container is opened, LEA can always say, "okay - what's in the hidden container?" They ALSO know you can only have one (that's still true I think?) and if it's used to hold your "proof" that everything is on the up and up it can save you a lot of hassle. In general, I would never suggest giving an inch, but with some things - this is a simple way to end endless and stressful accusations and demands for the "real" password. I also know it's really about not being able to prove the existence of the hidden volume, but sometimes you must pick your battles.

 

This. Happy I know what your trying to do, but is it worth it? I can't see that it is. Just on the information learnt here you sound like a very interesting target.

Also this. Time catches up to every man, sometimes slowly but it DOES catch up. So when your being held by the boys in suites what will you do?

 

So let me see if I have this correct:

You use volumes, create Outer/Hidden sections, and use the Outer to store everything...and put a note in the hidden portion to show it's not being used?

Do you do this for every single container? Or do have one that you won't reveal the Hidden portion of?

Cool method if you go that route.

So you basically just use TC to protect from everyone *but* authorities?

Not for me, but cool method if it suits you. I'll rely on Due Process and make a decision based on where that leads. Like I said before, proof, not appearance...in my country at least. Which is why I like the Yubikey - if I can 'lose' it...I don't know the last portion of the password. Maybe it will hose me in the end, but oh well...some things are worth not compromising on freedoms.

Also, while fun to talk about, this 'rubber hose' stuff doesn't really happen, IMO...at least not with any frequency. I base that on reading 5 years worth LE forensic discussions that made their way onto the net a year or so ago.

And there is some precedent:

http://www.outsidethebeltway.com/fe...ts-suspect-from-having-to-decrypt-hard-drive/

PD

 

EB, can you elaborate on the mistakes you've seen by users of Hidden Volumes? Would be a good refresher.

P

 

me an interesting target just because i value my privacy as an important factor of my life, lols , be my guest , but dont come complaining to me when you end up at a dead end , and i do feel shadow defender being a plus when it comes to plausible deniability as said you never know what gets logged and what doesnt and mostly the main point being outdated logs etc , its all about plausible deniability in this game and thats what im aiming for and yes my privacy is a important part of my life as should anybody elses as ive said countless times and who thinks otherwise cause they dont have "anything to hide" youd be suprised what can be used against you as i too have explained many times , btw pauly you dont really think theyd publish them using the 5

dollar wrench method or other torture, how stupid would they have to be to dirty theyre own "lawful" image and risk an uproar from citizens and possible budget cuts or complete shutdowns , remember sheeple are only as stupid as you make them believe to be , apparently someone needs some catching up

to do on how it all actually works , youd have to do your own research on how governments actually work , its by keeping the people you rule blindfolded ,its always been that way and its only gettin worse by the minute ,hence why i can understand your confusion ,
what will or would i do when "catched" by the big boys in suits , ill tell you

what , keep my mouth shut and if it costs me my life , remember once they consider you a target of interest they wont let you go no matter how much you think theyre gona let you live same goes for anybody else in your family considered a target of interest , torture is nothing more than a way to extract information out of a target , as long as it lives after that nobodoy cares , i could go further down the rabbit hole on this but then it would be considered political and much more , and that would arise actual unwanted attention , remember this forum is about security ,and privacy belongs to that as well , sure you could do none of this , but dont be suprised when your at the receiving end and this fact wont change any time soon, and to top it off laws are changed like the weather and bend to will

 

lols , btw still need help on removing the tc bootloader as ive said yesterday

 

Nothing elaborate. There have been cases where the individual in question is known to be using a solution such as Truecrypt/Realcrypt. The contents inside their hidden containers were being accessed by 3rd party applications such as Microsoft Office which they did not take the time to configure correctly to mask the footprint it leaves and I was able to follow those bread crumbs so to speak.

 

Yes, temp files and logs, right? That's the argument for using hidden OS, because all of that stays inside. That was clearly implied by your recent comment:

What happyyarou666 addresses in this thread is fundamentally the same problem. By accessing networks, "footprints" and "bread crumbs" may be left outside the hidden OS.

Let's say that he can configure the AirVPN clients (pfSense VMs) identically in the decoy OS and hidden OS. For both OSes, packets from pfSense go through the host's network interface. Can they be distinguished from his LAN? Speculation aside, the best approach is capturing from LAN with Wireshark (or whatever) and comparing traffic from the decoy and hidden OSes.

As we've discussed, there could also be "negative footprints" in the decoy OS. It seems like the best approach there is "virtualization" and preventing all persistent state change. Where are you on that, happyyarou666?

 

There wouldn't be bleed over as a network interface card doesn't do PCAP, it can facilitate PCAP with user/application modification, but not by itself. Given how there are no two hosts running at the same time which "could" log the traffic of the other at the OS level in terms of firewall/security events in bridged mode this isn't a vulnerability.

The only useful information would be a MAC which again would go back up to the route logging occurring at layer 3 and not the card itself at layers 1 & 2.

If we are taking complete state control regardless of network, then at that point I would suggest a live OS.

 

*YAWN* really you need to keep it usable and simple for it to work. Someof this stuff is just fantasy, because it's just adding another level of software that can be compromised.

KEEP IT SIMPLE STUPID.

 

lols , this is all pretty simple and usable , this coming from me ,its far from fantasy and no its not just adding another software layer that can be comprimised , if thats how you think of it you best stop using AVs ,FWs , Sbxie as well since its just another software layer , lols sometimes i question your rationality computersaysno, btw mirimir yeah ive already setup SD on my decoy and did what we talked about considering vm mac addresses, anything else , btw i still freakin need advice how to remove the god damned tc bootloader since loading up a windows install dvd and selecting recovery wont work since tc fde volumes are seen as RAW and no OS is selectable hence i dont know how to select my drive in cmd to have the tc mbr replaced with windows vanilla mbr

 

Cool

It'd be better to create a separate thread for that. Maybe you can interest dantz

Also, where does one back up a hidden OS? To another hidden OS, I guess

 

something like that , its rather simple actually , you just create a seperate fde tc hidden volume and outer on an external setup, much like you do with any non os partition drive , and then just make a data back up not a sector by sector , adversarys with constant physical access to your machines decoy OS would be able to notice sectors changing where they shouldnt be changing when they have theyre hands on your backup of your decoy os , hence why a sector by sector is a big no-no! data backup only , and its more convenient when swapping for a larger disk in the future , just gotta restore the data to the fresh tc vanilla os setup routine and your back in buisness

perhaps i should open a new thread for that issue indeed

 

To me it's not simple, fiddling around with multiple VM's is not my thing. I'd just install Qubes on a system, install VPN deamon and TOR and your done.

I have stopped using AV's, FW's and don't use sandboxie as I see them as just clogging up the system with useless junk software .

And lol happy, sometimes I question my logic myself so your not alone...But as always, remember happy to TAP TAP TAP IT IN!

 

yeah odd for some reason your last tap tap tap it in comment got deleted , lmfao , but to each his own as i always say for some certain things might seem more complex than they are but thats fine with me its up to you

 

Yeah don't get me wrong, I love new toys and software. I just see the multi VM setup as messy.

 

well if you come up with a "cleaner" way over the current setup , let us know