Privazer picks up names of wiped files even after running Ccleaner, R-wipe, and Bleachbit

Discussion in 'privacy technology' started by caspian, Feb 29, 2016.

  1. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    I don't understand a lot of what I'm looking at in Privazer when it shows me examples of what it has scanned to be wiped. But I like to scroll through and look as it scans. So one day I decided to run some cleaners, as I do every so often. What I use to do is run Ccleaner, R-wipe, Bleachbit and then run Privazer last. In Ccleaner, I have everything checked except free space. And I use Ccleaner Enhancer. I also tell it to use secure wipe and have alternate data streams checked etc... In Bleachbit I tell it to secure wipe as well and I check the option to download additional cleaning options.

    So after running those other cleaners, I started scrolling through the scans and noticed some file names. One was an encrypted rar file of email addresses and passwords that I keep in a truecrypt folder. It was wiped and the TC folder closed before I ran the cleaners. Others were files that I uploaded to G+. I always drag them over from my external drive and then wipe them when I'm through, just out of habit. So none of the files that I saw were on my computer anymore. There were several files and file names from a folder, including the folder name.

    I could tell by the names they were from a cosmic photoset that I posted so I knew exactly what they were.. And this was after r-wipe, ccleaner, and bleachbit, with none of those files on my computer anymore.. Very impressive for Privazer!!
     
  2. quietman

    quietman Registered Member

    Joined:
    Dec 27, 2014
    Posts:
    491
    Location:
    Earth .... occasionally
    I have also used all of those tools you mention , for many years now.

    And you are bang-on right about PrivaZer .... it gets into some dusty corners that many others never reach.

    But there still remains more detailed history of your machine that none of them erase , AFAIK.

    If you doubt what I say , try running LastActivityView from Nirsoft .... it might give you a shock ....

    ..... and if you have been using PrivaZer , you are going to see some mighty strange dates in the log !
     
  3. The Red Moon

    The Red Moon Registered Member

    Joined:
    May 17, 2012
    Posts:
    3,872
    Its for the very reason it gets into "those dusty corners" which makes it dangerous..ccleaner and others only clean what they clean for a very good reason.
     
  4. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,594
    There is merit in what you posted.

    You will never beat a forensic examination of a drive platter against a competent adversary, especially where Windows is concerned. Only workable option is complete sector encryption at the pre boot level.

    If you wanted to go through the hassle of forensically wiping the disk and had a clean OS to restore, that would work. Very time intensive but its the only way to get all the filesystem cluster tips handled. But then after using the OS for a short time you are right back to where this thread started.
     
  5. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    I came to this realization years ago. Compartmentalization is the only workable approach. With adequate compartmentalization, there's no need to clean anything.
     
  6. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,594
    [thumbsup]
     
  7. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    I was really surprised. Because these were log files. And it showed up all kinds of logs that I would have always assumed would be wiped by other cleaners. With regards to last activity view, it never shows anything because I use Shadow Defender.
     
  8. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    I have been putting off encrypting my laptop for a long time. From what I understand it doesn't disturb any functionality so I'll probably do it soon. I've been thinking about it. My operating system is in D drive. So if I want to create a hidden OS, will it use that twice? Or do I need to have another Windows 7 key?

    No one ever talks about Shadow Defender as a privacy tool. But I encrypt the write catch and then run everything in RAM. I assign about 3G's in RAM so when it starts to use that up I can reboot. I'm not sure what records would actually be left after reboot.
     
  9. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    I have Linux installed in portable virtualbox. So I am finally starting to learn it. But I also have Windows 7 in Virtualbox. What I am doing now is I enable Shadow Defender assigned to use 3G of RAM, with the write catch encrypted, then I open the TC container and run virtualbox. I have a VPN on my real machine and another VPN in Virtualbox. It's not near as good as your method but it's not too shabby compared to what many people do. I am gradually working up to eventually learning your method with pfsense and that sort of thing.
     
  10. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    Cool, caspian :) So you have Shadow Defender protecting TC, and both Windows and Linux VMs in VBox on TC. And chained VPNs. Yes, that's not at all shabby :thumb: I'd just worry about Windows as the host OS. Once you're working in VMs, there's no reason to use Windows as the host OS.
     
  11. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,103
    Location:
    Southern Rocky Mountains USA
    It's always good to be creative with the tools at hand. I often find uses that are far from the original intended purpose. VPNs and Virtualization were not originally developed for the privacy purposes they are used for now either.
     
  12. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,594
    Before I specifically answer your questions, let me say your setup is not too bad! I share Mirimir's sentiments with it. Now moving along to some questions you asked.

    Moving my response to beyond novice and stretching things just a little to shape the thought process. This is not a scare post I just want users to realize these facts and make decisions based upon them. All have different threat models and therefore we should adjust accordingly.

    Harsh security realities about a hidden operating system (bare metal) using either TrueCrypt or VeraCrypt and of course Windows would be on both: You do not need another Windows "product key" to create the hidden system, which in the purest sense of the system being hidden should scare the #$$# out of you. The windows product key will only work on the machine number for which it is designated and which M$ knows about when the decoy OS was registered. Therefore should you go online and update the hidden OS it would handshake with M$ and get the downloads without issue. Where a user gets into trouble (is quite vulnerable) is when the hidden OS is taken online (bare metal). The windows ID# plus the actual motherboard ID# are known to M$ and are static regardless of whether or not you are using the decoy or hidden OS. When you update in the conventional manner M$ can and likely does record when YOUR product key update files having been acquired. Hmmmm you always update files twice, or more? The time of the system updates can and may be recorded and surprise the decoy system (during forensic examination) does not show the system was even in use during those times. Why not? See where I am going with this? Even if you elect to use a different product key from a system that doesn't come back to you such as a VLK for M$, you still have that pesky motherboard ID with a strong ability to betray your anonymity. Just sit back and get a visual from what I have just portrayed to you. This is accurate but is only relevant where a "strong adversary" is your combatant. It certainly means nothing against theft, spouse concealment, etc.....

    There are some fairly straight forward solutions to the dilemma presented above and if your in a position to care about pursuing them come back and ask for more. Virtual machines will allow you to go online and "ditch" the motherboard ID issue because your workspace will never see the motherboard if configured correctly. There is much more but I don't know your needs and don't want to type at length for no reason. LOL!
     
  13. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    Yeah I know Windows is more vulnerable and certainly not good for privacy. After what I have seen with Windows 10 I am definitely in the process of making other arrangements, haha! As far as I know, Linux doesn't "reserve the right to upload the content of your emails and personal files if they decide it's necessary". Sheese! I think I've heard it all now!:eek:. With Windows 7 I did disable a pretty large list of telemetry updates. And I have Windows update turned off now. So hopefully Shadow Defender will prevent any personal data from being saved for now. It may take some time before I feel comfortable installing Linux on my real computer. Can I have both installed and just use one or the other? That would be nice.
     
  14. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    Yeah I think if Shadow Defender actually does what they say it does, by choosing RAM and encrypting the write catch, I don't think you could do much better than that for Windows. The nice thing, too, is that not a lot of people use SD so there probably isn't much of an incentive to bypass it.
     
  15. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    I am surprised that I have never seen this concern expressed before. Maybe I just missed it. But it is a pretty obvious problem now that you have mentioned it. You said that the VM would get rid of the product key problem, but you still have to install the VM on a windows OS, right? So wouldn't it be seen anyway? I could install a different OS with a different product key, correct? So then what do you do about the motherboard ID? That would be really cool to create a fix for this. As long as it isn't too difficult I'd be interested in trying it. Thanks
     
  16. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    Remember that the TrueCrypt hidden system thing is old. It was developed on Win XP. The dev(s) clearly didn't assume that adversaries would be working closely with Microsoft. And there's no solid evidence, as far as I know, that they are. It's just that we cultivate a much higher level of paranoia here ;) If foo is possible, the only safe bet is that foo is happening. Also, if foo were happening, it would be cloaked behind parallel construction, for sure.
    You can install a Windows VM on any host. I have a few. All were obtained anonymously.
    VMs don't see motherboard ID, by default.
     
  17. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,594
    Mirimir answered many of your concerns in the post directly above this one. The scenario I described obviously happens. A user goes online and connects to sites of questionable character as per the opinion of the "Feds/NSA/etc... Lets say they use a reasonable connection tunnel BUT they use a M$ product key that is known to be registered to them. They didn't intend to but they created their hidden OS as a clone from a decoy Windows system that was registered to their real name, or used for all their real name stuff. To further the "mistake" they installed it bare metal on the same computer.

    Even though TC is "old", the developers were well aware of the problem I am describing. If you look at the manuals (especially the older ones) going online with the hidden OS was just short of forbidden. Why? Clearly its knowing this issue. I was there through all of this and its all I am going to key here.

    So now your adversary hacks the product key or motherboard ID while you are online at a site they have invaded. Its easy to do. Many users are very weak in securing their systems and once you are logged into a site it gives an adversary much more opportunity if they have control of the site. Now they have those ID #s and what would be the next logical move? Contact M$ and ask if they have any machines registered with those numbers. Surprise, there YOU are and that was sure easy!! It would be incredibly naive to think that doesn't happen in this political climate.

    Already done. Virtual Machines as mentioned above. All the numbers are generated virtually and are not related to the computer using the VM. Further you can easily rotate those, even things like the MAC change so easily.

    Rather than typing away here a great starting point may be to go read the privacy guides that Mirimir constructed at IVPN. Those are great starting articles and the first few are not that tough to "get down pat".
     
  18. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    @Palancar

    That makes sense. But then, what's the point of having a hidden OS, if you can't use it online?

    You can use a Windows install disk that you've obtained anonymously. But then, the decoy and hidden OS still have the same product key, and are on the same hardware.

    Can decoy and hidden Windows have different product keys?

    Can one do the decoy / hidden Windows thing in a VM?
     
  19. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,086
    I don't know how common it is, but software can phone home information to a server which provides the user an ability to review things associated with a specific device. Were such software used in both the hidden and non-hidden compartments, information from both compartments could be sent to the server and linked due to a common device identifier. Theoretically, even a thief or spouse could gain access to the non-hidden OS, then discover this type of feature and access it, and in the process end up discovering information that was specific to the hidden OS context.

    Its getting even further away from what is common, but technically the device in question need not be the computing device the user/thief/spouse is directly using. It could be a directly connected computing peripheral, or some other networked device, that is accessed from both hidden and non-hidden compartments. In which case, the use of VMs might not suffice. In some cases, isolation from the Internet might not suffice either: if the device in question is accessed via direct connection or local [wireless] network and the device itself stores common logs.
     
  20. Palancar

    Palancar Registered Member

    Joined:
    Oct 26, 2011
    Posts:
    1,594
    Whether or not you can use a hidden OS online as "out of the box" configured, depends upon your adversary and threat model.

    You can definitely have different product keys but really a much more thorough way of setting this up is to create a nice, clean REAL NAME decoy OS. Now save it so you can restore without any doubts at all. Next you blow away/wipe that real name OS away and install an anonymous OS in the decoy slot. This OS is going to be the donor for your hidden OS. This is an extremely important distinction because when the hidden OS is created it copies all the folders and file names, users, etc... Almost nobody starting out can grasp all the things (names, etc.) that point the hidden OS to the decoy. This is my personal method developed and taught over the years because I flat out scared the #### out of folks showing them the importance of different names, files, etc.... I hope you are picturing what I am describing. I know you and I are linux geeks and all of this pales to a solid linux setup ------ our opinion.

    I remember exchanging many messages with you on the subject of "neutering" Windows so that the hidden OS could only host and nothing else. That would make an amazingly strong config because nobody could prove it existed. Then I/we would bridge via VM's and the hidden Windows would never go online in the strict sense of the word. All workspace activity happens in linux chained VPN - VM's. Very solid and advantaged because when the computer was "cold" there is no proof a hidden OS exists, especially if you are crafty with the outer volume contents. Further code manipulation allowing the hidden OS to exist outside of slot 2 positionally adds stealth. Plus this method cancels the machine ID from leaking out of the exit node or from being probed by an adversary. The VM never sees those things and would only report its virtual identities, which in my case change almost daily.

    Obviously once built you wipe the fake decoy and restore the clean REAL NAME OS and you are good to go!
     
  21. mirimir

    mirimir Registered Member

    Joined:
    Oct 1, 2011
    Posts:
    6,029
    OK, I remember. You end up with normal real-name Windows as decoy. Hidden Windows is anonymously obtained, and setup without Internet access. And you never actually use hidden Windows online. You use VMs bridged through the host-only adapter. So there are no hardware ID issues either. That is pretty elegant :thumb:
     
  22. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    I will definitely have to read those (Mirmir's tutorials). I tried reading about chaining VM's and pfsense and it was a little confusing. But maybe I just need to go a little slower. Good advice.

    I skipped the registration of my computer when I set it up and asked it not to show the prompt again. But the computer was bought as a gift to me from a family member. Here is my intention. I would have no use for a hidden OS other than to go online. I keep no files on my computer. Everything goes to an external HD. I started doing this years ago because I lost huge collections of art, music, music transcripts, and videos/movies etc... I was so unhappy.

    Maybe I don't need to bother with a hidden OS and should just encrypt my laptop. I have my real identity that I have used for years. I just use my desktop browser for that. But in the last 4 or 5 years I create a new identity for each new account. More recently I have been accessing them through a VM only. And of course with at least one VPN, but almost always 2. I have a TC container on the VM with multiple portable browsers. I give each browser folder the name of the identity associated with it. I never use another browser for that identity or communicate outside of that identity. Sandboxie deletes and wipes cookies when I delete the sandbox. So I have a different browser finger print for each identity with no tracking data on my computer. I just thought that maybe one step further away in a hidden OS might be even better than what I am doing now. But maybe it's overkill.
     
  23. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    But these details about hardware and that sort of thing could also be found in other computers, right?....except for the computer ID. So this info by itself couldn't prove anything, unless I am missing something. But it could point to something. Is this correct? You'll have to excuse me because I don't have anywhere near the knowledge that you do.

    Do you mean some kind of deliberately planted spying device?
     
  24. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    That's pretty slick!:cool:
     
  25. TheWindBringeth

    TheWindBringeth Registered Member

    Joined:
    Feb 29, 2012
    Posts:
    2,086
    @caspian: I was just thinking out loud and wasn't very elaborate. To illustrate:

    1) Some software is designed to support multiple users/instances/devices, databases information in the cloud, and allows a user to view information for the different users/instances/devices. If such software were running in two different compartments on the same bare computer and saw the same computer ID, the software might show a user that there are two instances associated with that computer ID. As well as allow a user to explore data for both instances. Theoretically, Jane using a non-hidden OS might not only see evidence of Bob's hidden OS but also be able to see some activity or other information specific to it. Bob wouldn't knowingly set things up this way, but if he didn't understand how things worked and/or the software tried to be too helpful, perhaps he could still be burned.

    2) In #1 it is a computer ID, acquired from the computer itself, that is the common unique identifier which both compartments see and that allows for the problem scenario. If one or more VMs were used, the computer ID should be different and thus the software shouldn't have been able to detect or show two instances on the same machine. However, lets say VMs are used but they share a multi-function printer and associated software which supports cloud management/reporting features that are enabled by default. The printer contains the ID which remains the same for VMs, and the software in the VMs phones that printer ID home along with other information. Theoretically, Jane while using one VM would be able to see some multi-function printer usage information generated by Bob's VM.

    3) In #2 it is a peripheral ID that allows for a problem scenario. However, in both scenarios the cloud features play a major role. So if Bob didn't take his compartment online, he'd be OK. However, lets use the two VM + multi-function printer example again. Only, this time, information about print jobs, faxes, scans, etc is stored in the printer itself. Even if both Bob and Jane never went online with their VMs, Jane could see things related to Bob's VM.

    Point is an old one though... you really need to be careful about isolation and eliminating things in common. For example, having several FF 44.0.2 portables in the same VM would mean that OS/hardware focused fingerprinting code might detect the common platform. At some point you have to draw some lines though. One VM per remote host isn't very practical.
     
Loading...