System Spy Test for you

Discussion in 'privacy problems' started by CloneRanger, Sep 30, 2010.

Thread Status:
Not open for further replies.
  1. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Think you've Permanently deleted and erased ALL your file data, even after a secure pass/es ? Well think again, because the chances are Very high that you havn't.

    Here's a simple test with JUST one file ! You could use any type of file, but here's a small sized .GIF one that you can use CanYouSeeMe.gif so we're all using the same one.

    CanYouSeeMe.gif

    Now delete it, securely if you can, then run your favourite cleaner/s, even in secure delete mode if they have it, and reboot if you need to.

    Now try and find ANY evidence of that file name anywhere in your comp, including the registry.

    Download a trial of Directory Snoop - http://www.briggsoft.com/dsnoop.htm - install and run it and look for CanYouSeeMe.gif file name and/or any remnants of it.

    Post back with what you discover, and hopefully include screenies :thumb:

    Here's what it found on my comp after ALL the above secure etc cleaning :eek: And that's just one securely deleted file, so think how many more you WILL have !

    ds.gif
     
  2. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,497
    Location:
    British Columbia
    You didn't mention what file wipers you usedo_O Were you able to see the erased gif or just the filename??

    I would appreciate since i don't have a test box if anyone could post their "own" findings on apps like "File Shredder", "Eraser" - any program you found that did a great job on erasing including filenames.

    Thanks
     
  3. MaB69

    MaB69 Registered Member

    Joined:
    Dec 9, 2005
    Posts:
    540
    Location:
    Paris
    Hi,

    If i am not wrong you only find the link to your image stored in the recent folder

    regards,

    MaB
     
  4. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ tobacco

    I used CleanDiskSecurity & CCleaner & MruBlaster in secure delete mode.

    CDS & CC do indeed securely delete the file :thumb: and it's not recoverable :thumb: and MB erases the "regular" MRU entries.

    So the actual file has securely gone :thumb: but as you can see hidden traces/evidence still exist in the Registry :thumbd: That's what Windows does with Everything :thumbd:

    You don't need a test box to do this, as you will come to NO harm with my .GIF file ;)

    Originally Posted by MaB69

    I didn't search through the whole registry on this occassion, i just showed those entries as an example to prove the point. Other times i've used Directory Snoop i find HUNDREDS of normally hidden "deleted" entries that i am then able to wipe with it. Often there are multiple entries for the same file name/s spread all through the registry :eek: That's what Windows does with Everything :thumbd:
     
  5. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,497
    Location:
    British Columbia
    @CloneRanger

    I didn't want to tie up my laptop testing wiping and undelete/recovery tools on the 17 gigs of free space on my system partition which i thought would produce the most accurate results ;)

    So instead, i created a 50MB truecrypt container, mounted it and using your Directory Snoop tool, tested out the following 4 apps using your ".gif" and a 13MB video clip file with the results also below.

    Firstly, all apps erasing prevented the files from being restored using the "undelete" feature in Directory Snoop. This feature did work on files just "normally" deleted through windows.

    Easy Shred: Performed the worst as original filename was visible along with file size.

    CCleaner: Didn't like how each file is renamed :ZZZZZZZ: File size visible.

    File Shredder: Files are renamed differently each time. File size visible.

    Eraser: The "King" of my simple test. Not much left showing of the file including file size (0 bytes each time) :thumb:

    Edit: Forgot to mention all apps were set at DOD 3Pass
     
    Last edited: Oct 1, 2010
  6. Warlockz

    Warlockz Registered Member

    Joined:
    Oct 30, 2008
    Posts:
    642
    You should try using Cyberscrub or East-tec eraser, then report back with your findings?
    I prefer East-Tec myself
    This requires erasing restore points/Shadow Copys to ensure everything is gone. unless you already have them disabled?
     
  7. tipo

    tipo Registered Member

    Joined:
    Dec 29, 2008
    Posts:
    408
    Location:
    romania
    i bet that if i use r-wipe &clean there will be nothing to find!
     
  8. poison

    poison Registered Member

    Joined:
    Aug 20, 2007
    Posts:
    150
    i use evidence eliminator which is hated by most wilders users because of past selling tactics but after a little test nothing at all was found after doing a quick mode wipe and then using dsnoop as well as getdataback and recuva :argh: :D
     
    Last edited: Oct 1, 2010
  9. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    There's nothing magical about these file eraser/wipers. All they do is overwrite with random data. So I find it sort of funny when everyone gets in a war about which is better.
     
  10. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ tobacco

    I don't think that using a truecrypt container would write to the registry ? If so you won't see those entries as i did, Hidden or otherwise !

    Yes i find plenty of CCleaner :ZZZZZZZ: etc entries too ! but it's better than file names :) Even so i "believe" those Hidden entries might be there.

    If you get chance to do a non TC test, that would be good :thumb:

    @ Warlockz

    Yes erasing restore points/Shadow Copys etc is a Very good suggestion :)

    OK, go ahead ;)

    @ poison

    Interesting, how thorough was your registry search with DS ?
     
  11. poison

    poison Registered Member

    Joined:
    Aug 20, 2007
    Posts:
    150
    never-mind, i just realised that i had a custom ruleset enabled which more than likely affected the result, i will test it again in a short while using the default options
     
  12. caspian

    caspian Registered Member

    Joined:
    Jun 17, 2007
    Posts:
    2,301
    Location:
    Oz
    I will try this with R-wipe a little later. So all you want me to do is to right click and wipe the file?
     
  13. poison

    poison Registered Member

    Joined:
    Aug 20, 2007
    Posts:
    150
    ok i tried again and this time it found 1 match in C:\Users\xxx\NTUSER.DAT:2
     
  14. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    :thumb:

    I opened it first and viewed it and closed it, and then securely deleted it.

    Aha, i'm surprised you didn't see it in at least RECENT as well ? Thanks for confirming :thumb:
     
  15. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    I opened the file, used ERASER 3-wipe and it was gone. DirSnoop found no trace except the expected red question marks and a zero file size. No reference to file name in registry. Also, I don't worry about anything in "recent" as I have it disabled it on my XP system. I suggest everyone disable their recent files references. It's very easy to do. I have done it using TweakXPpro, but you can do it manually very easily. Just Google - disable recent files.
     
  16. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ LockBox

    Looks like you're covered then ;) But you did find the Hidden RED question marks etc with DS ;)

    Heads up for those that might wish to do the same.

    Yes that works to not display from there, and i've done that since 98 days :D but it still records in the registry :thumbd: So there is another trick too which Thanks to your post :thumb: i investigated and have just done.

    Create a new REG_DWORD for that and set to 1, and you don't need TweakUI etc to do it.
     
  17. LockBox

    LockBox Registered Member

    Joined:
    Nov 20, 2004
    Posts:
    2,275
    Location:
    Here, There and Everywhere
    You're exactly right, Clone. I have TweakXPpro which has literally hundreds of little tweaks and it allowed me to do this from that program. But you certainly don't need it. Some also say you must have TweakUI which is also wrong. As you said, there are just a couple of simple registry tweaks to get rid of all the recent use entries. Since encrypting my entire laptop I don't worry about these things as much, but it's very important for those who do not use FDE.

    Good exercise. Never hurts to do little simple checks like checking the erasure and entries from your .gif file. As chronomatic rightly pointed out, there really shouldn't be problems with simple shredding of files - yet I run across problems frequently with applications that simply don't know the very basics and you end up with things like "Easy Shred" as tobacco discovered. No excuse for that.

    Good practical thread, Clone.
     
  18. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,497
    Location:
    British Columbia
    Just tested RWipe & Clean and it performed well - so much so that the "undelete" feature just gives this error:

    RW&C.png

    Didn't get this with the others but the files were still unusable/unrestoreable. Think i just created a new word :p
     
  19. Warlockz

    Warlockz Registered Member

    Joined:
    Oct 30, 2008
    Posts:
    642
    Some others

    • Indexing Service
    • Hibernation mode
    • UserAssit
    • NTFS TimeStamp
    • Thumbs.db
    • Windows Application Logs
    And the list goes on and their is to many to keep track of + you never know what new update or software you install is going to add to the list.

    You also have Security software that logs many different things. Threatfire is an example as it logs loads of crap. you may want to check to see what your security software is logging.

    Windows and the different software you use is your greatest enemy when it comes down to tracking you. many find this helpful so they can go back in time, but theirs not 1 Eraser/Wiping utility on the market that covers them all.

    The only way to be 99.9% sure everything is gone is to Overwrite/Wipe all of the contents on your entire drive.

    In the end FDE "Full Disk Encryption" is ultimately the way to go!

    ......................................................................................
     
    Last edited: Oct 2, 2010
  20. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Thanks :thumb:

    I know you use Returnil etc, and i used to use v2008 = :thumb: Except it had problems with SR so i stopped using it :( Apart from that, one of the Brilliant things about v2008 was secure delete of it's cache on Shutdown = :thumb: not boot as in the later versions = :thumbd: I use ShadowDefender now = :thumb: SD doesn't securely delete it's session = :thumbd: and nobody is able to advise me the best way to do it, safely :(

    @ tobacco

    So the file/s were "New Word" ;) but did you see Any RED entry/entries for them Anywhere in your comp using DS ?

    @ Warlockz

    * Indexing Service = Disabled = :thumb:
    * Hibernation mode = Doesn't exist = :thumb: Disable if it did = :thumb:
    * UserAssit = Disabled = :thumb:
    * NTFS TimeStamp = No NTFS = :thumb:
    * Thumbs.db = Deleted with Bleachbit = :thumb:
    * Windows Application Logs = Deleted with CCleaner = :thumb:

    Indeed, it can seem that way.
     
  21. Warlockz

    Warlockz Registered Member

    Joined:
    Oct 30, 2008
    Posts:
    642
    Hibernation exists in XP, Vista and 7, just so others don't get confused, as you say it doesn't exist, unless one disabled it or did not activate it or removed it alltogether, I don't really know about 95, 98, 2000, me, which OS are you using?


    also here are some various resources users may or may not be familiar with?

    http://www.irongeek.com/i.php?page=videos/anti-forensics-occult-computing
    http://blackopsecurity.net/wiki/index.php/Anti-Forensics
    http://www.forensicswiki.org/wiki/Anti-forensic_techniques
    http://www.computerforensicsworld.com/
    http://www.forensicfocus.com/computer-forensics-forums
    http://www.nirsoft.net/
    http://www.blackviper.com/
     
    Last edited: Oct 2, 2010
  22. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @ Warlockz

    I presume you're asking me ?

    XP/SP2 - Not a laptop ;)

    It's news to me, and no mention in here that i can see - http://www.blackviper.com/WinXP/Archive_SP2/servicecfg.htm

    Don't mind been proved wrong, and you're right to bring it up anyway ;)
     
  23. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    7,278
    Location:
    England
    Can confirm here that hibernation exists on my desktop pc using XP home and SP3.
     
  24. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    Re - Hibernation no show on my XP/SP2

    Found the answer !

    classic Shut Down menu = me ;)
     
  25. tobacco

    tobacco Frequent Poster

    Joined:
    Nov 7, 2005
    Posts:
    1,497
    Location:
    British Columbia
    My spell check didn't recognize
    so that was the "new word" ;)

    All my tests returned as "red" on the files in question that were deleted. And while i would prefer a "blank window" in DS (no traces of anything period), i don't think it's possible unless maybe the test drive has been slaved and nuked first. I just don't know :blink:.

    DS also showed several normal window's files (black) - who knows what info they all hold :eek:

    Anyways - the file being "unrecoverable" :p and the file name/size changed would be enough for me.

    I really like File Shredder as it's fast but am disappointed that it leaves the file size as is :(
     
Thread Status:
Not open for further replies.