Computer Anti-Forensics

Introduction

Devices such as phones laptops, desktops, hard drives, and much 
more can be seized and forensically analyzed by a variety of 
tools used by law enforcement. There are ways to prevent and 
hinder these forensic investigations. This guide will focus on 
local computer forensics which includes mobile devices, hard 
drives and other storage media, personal computers, and possibly 
for the first time smart watches.

Encryption

Strong encryption is a forensic experts nightmare. It is nearly 
impossible to get around with current technology when certain 
conditions are meant. Strong encryption should be open source, 
tested, and actively developed and maintained. There are 
currently 2 disk encryption tools that meet this criteria, LUKS2 
and VeraCrypt. You should use a passphrase for your disk 
encryption, I an 8 word Diceware passphrase.

Avoid using BitLocker as BitLocker is closed source and often 
times tricks the user into storing a recovery key in an insecure 
location or having an insecure authentication mechanism, such as 
TPM only BitLocker. Do not use TrueCrypt, it is deprecated, and 
insecure, some people still use TrueCrypt because its TrueCrypt, 
use VeraCrypt instead.

Plausible Deniability

Some countries such as the UK can force the disclosure of your 
passphrase. This is where plausible deniability comes into play. 
VeraCrypt is currently the only disk encryption available that 
allows for reliable plausible deniability when the right 
conditions are met. VeraCrypt allows the creation of a hidden 
volume inside of the free space of the outer volume, and if you 
are forced to disclose a password you can give up the password 
to the outer volume (decoy volume) and there is no way under the 
correct conditions to prove the existence of the hidden.

To have the correct conditions for plausible deniability, a live 
OS should be used such as Tails OS or if you want to be less 
conspicuous you can use a live Ubuntu or Fedora USB. This way, 
when the operating system caches information in or about the 
hidden volume, it is stored in RAM which is completely gone when 
the system shuts down instead of being stored on disk where it 
can be extracted, examined, and used to prove the existence of a 
hidden volume. Another thing is the passphrase for the hidden 
volume should be completely different than the passphrase used 
for the outer volume, again I recommend 8 word Diceware 
passphrases.

VeraCrypt hidden volumes should only be created on magnetic hard 
disks, flash storage often has TRIM and Wear Leveling which will 
give away the existence of the hidden volume.

Mobile Devices

For mobile devices, you should avoid Samsung at all costs and 
use a long pin, password, or even passphrase on your device and 
shut it off to remove the encryption keys from RAM before law 
enforcement is able to obtain the device. It is best to keep the 
absolute minimum amount of information on a mobile device as the 
security of such devices varies widely from model to model.

For messaging, use Signal or Molly, preferably Molly. Molly 
which is a hardened signal fork, allows you to set a passphrase 
to encrypt messages at rest instead of relying only on the 
Android Keystore system. Signal is fine if you know your Android 
Keystore system on your device is adequately protecting secrets, 
but most of the time, knowing this is nearly impossible. Enable 
disappearing messages, sure deleted information can be recovered 
but with Signal or Molly recovering deleted messages is more 
difficult (not impossible) but it will limit the amount of 
information obtained by a significant amount if compromise 
occurs.

Plausible deniability does not exist on mobile phones, at least 
not yet. Maybe in the future there will be a custom open source 
ROM that supports plausible deniability.

When using a phone, disable clipboard history. This is 
especially important if you are using a Samsung device. Samsung 
keeps a record of about the last 50-70 things you copied 
depending on the device. Even if you hit the delete button on 
the clipboard history, it doesn’t delete, its just made 
invisible, again Samsung is especially bad about this. There are 
apps that allow you to overwrite the clipboard history and these 
may be more reliable one app for Android devices is S.S.E 
(Secret Space Encryptor) which will allow you to quickly wipe 
the clipboard by automatically copying a series of incrementing 
numbers.

Encryption for external storage devices

All external storage devices should be encrypted even if it 
doesn’t contain sensitive information. This makes it harder to 
target one specific drive. This also makes it so the 
argument/assumption cannot be made that “X person specifically 
encrypted Y drive so it must contain Z data” even though this 
is not a valid conclusion, it still causes serious problems such 
as in the US where the “Forgone Conclusion Doctrine” may be 
used and in the UK where there are key disclosure laws and in 
some cases, Australia.

Avoid using applications such as Steghide, these are easy to 
detect and their encryption by modern standards is not strong. 
Avoid image and audio steganography in general every single 
application made for this purpose no matter the algorithm, LSB, 
F5, etc. can be detected and it only makes things work as it 
shows the intention to hide information.

Data erasure

For SSDs and many forms of flash storage, you can use blkdiscard 
on Linux or delete all the files and run TRIM to wipe the 
device. Note that this is not reliable as it relies on the 
firmware of the flash storage device. Some SSDs may act like 
they did permanently discard the data when in fact they did not. 
SSDs are not a good choice if you anticipate ever having to wipe 
a device. Never overwrite SSDs using wipe passes such as Gutman, 
these were meant for hard disks and they will kill SSDs and 
won’t actually get rid of the data because of wear leveling.

HDDs can be easily and reliably wiped by overwriting all the 
sectors on a drive with random data, or zeros. One pass is good 
enough on modern drives and most use cases, however some older 
drives from 15-20 years ago may require two or three. The Gutman 
35 pass wipe is overkill and there is almost no reason to use it 
except to waste time. A wipe can also be performed on individual 
files by overwriting them with random data or zeros, this works 
on HDDs but not SSDs. A wipe of an entire drive can be performed 
by using the shred or dd command, for wiping individual files 
you may use the shred or srm command.

Bleachbit will also delete cache files from your system and 
optionally overwrite them to prevent recovery.

Data decoys

To waste time in a forensic investigation if your drives are 
decrypted you can use decoy files, sometimes referred to as 
chaff files. Note that this is only for defense in depth and 
will not be enough to stop a forensic investigation, it will 
only hinder and slow one down.

Bleachbit is able to generate chaff files using the data from 
Hillary Clinton's emails or the 2600 magazine. These files can 
be deleted (but not wiped) afterwards in order to have them sit 
in unallocated space on the drive. These chaff files are 
supposed to match key words that forensic investigators may 
search for, this way forensic investigators will have to sort 
through the chaff to find any meaningful data.

Not saving any data

In some cases you may be able to not save any data on your 
device at all. Some cloud storage providers allow you to access 
their web interfaces via Tor. If you encrypt your files before 
upload using something such as GnuPG and upload them via Tor 
through a live OS such as Tails, it will be extremely difficult 
to find your data, and even if it is found it would still need 
to be decrypted.

This effectively makes it so nothing is stored on your device. 
Tor would hide what cloud storage provider you are using to 
network observers and maybe even the fact that you are using 
cloud storage. If your device is seized, forensics will not 
reveal anything, not even an encrypted partition on your device 
because there is nothing on the device.

This is useful for some threat models and scenarios such as when 
you are crossing the border into another country and anticipate 
a search or seizure of your electronic device.

Smart Watches

Avoid smartwatches, if you decide to use one, do not connect it 
to your phone. Smart watches collect and cache a large amount of 
data including text messages. If you are using Signal, the 
notifications from Signal containing decrypted messages can be 
cached on a smart watch even after attempts to get rid of it.

There is no current way to reliably prevent digital forensics on 
smart watches.

There is one exception to this, and that is the PineTime. Still 
do not connect it to your phone as it will receive the phones 
notifications and store them in plain text, but it works just 
fine without connecting it to your phone as the time can be set 
manually and none of the built in apps require a phone in order 
to be used.

##