Returnil as Anti Forensic tool?

Discussion in 'privacy technology' started by mjau, Jun 16, 2010.

Thread Status:
Not open for further replies.
  1. mjau

    mjau Registered Member

    Joined:
    Jan 11, 2009
    Posts:
    30
    Hi i basicly wonder if Returnil can be used as a anti forensic tool, leaving nothing to recover once shutdown?
     
  2. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    A guy recently posted in the Returnil forum that he found remnants left after reboot.

    https://www.wilderssecurity.com/showthread.php?t=274850

    But it looks like he may not have had the option "Enable when I start Windows" selected, which is evidently required to wipe the leftovers. The other option that must be selected in Preferences under the System Safe tab is "Wipe all system changes at computer startup".

    A guy from China recently asked if the Chinese government could forensically recover information from his computer with Returnil enabled and the reply was no....that there would be nothing left to recover.

    I do not have the knowledge to test this myself or I would.
     
  3. snowdrift

    snowdrift Registered Member

    Joined:
    Sep 7, 2007
    Posts:
    394
    I *believe* Returnil also leaves a Windows registry trace, but I have not verified it myself.
     
  4. Coldmoon

    Coldmoon Returnil Moderator

    Joined:
    Sep 18, 2006
    Posts:
    2,981
    Location:
    USA
    Hi,
    We are looking into the results from that thread, but some things you should be aware of:

    1. RVS was not designed from a privacy perspective and we have tried to make this clear in our replies since the 2007 version when the question began to appear. The target is security first and other things may come from that (ex: inherent privacy benefit from boot-to-restore for casual examination)

    2. The Windows Pagefile and hibernation files are not virtualized. the reason for this is that interference with these files may cause Windows to not function properly.

    As the pagefile is left alone, forensic tools and techniques that can access it, can recover information.

    Mike
     
  5. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    If you run without a paging file (easy with 3.4GB memory), turn OFF Hibernation, and set-up Returnil correctly to wipe....Returnil is pretty solid when it comes to anti-forensics. Though, Coldmoon should be commended for being honest that Returnil was not inherently meant to be a privacy tool, Returnil should also be lauded for helping those using it as such to make it even better (with the wiping, etc.). Kudos to Coldmoon -- and Returnil!
     
  6. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    hi

    As pointed in these old pages there is Yin and Yang of such programs in forensics computer examination
    http://homepage.mac.com/adonismac/Textware/forensic/deepfreez.htm

    In fact Windows design simplifies the job and pagefile.sys is just an example.
    Matthieu Suiche has written interesting papers and released the Sandman tool to read or modify the hibernation file.
    http://www.msuiche.net/utilities/

    As i have mostly experimented DeepFreeze i cant talk about Returnil but i think in the same way that Returnil has quiet the same limitations.
    For instance it is still easy to use specifics forensic tools to find which usb key has been connected to the machine, and with the find of the serial key number an investigation to identify the owner or buyer is possible.

    I guess that it is currently possible to make a PC investigation totally lapsed even for the forensic experts of the NSA (even cold boot attacks can be defeated).
    But playing cat and mouse game with the law is already a lost game.

    Rgds
     
Loading...
Thread Status:
Not open for further replies.