Windows Anti Forensics Tip of the Day…

I previously wrote about how to have your system automatically clear the pagefile before a reboot or shutdown.  There’s a couple other steps I recommend you make on your system…

Automatically permanently delete (Nuke on Delete)- Normally Delete sends files to the Recycle Bin and a Shift+Delete will permanently delete them.  With the registry tweak below the normal Delete will also behave as a permanent delete. ***Note: Delete does not mean a file is deleted.  It only frees up the file record and clusters so they _could_ be overwritten.

  1. Go to Start -> Run and type Regedit
  2. On the left hand side select the “+” to navigate to the following.
  3. HKEY_LOCAL_MACHINE SOFTWARE Microsoft Windows CurrentVersion Explorer BitBucket
  4. On the right look for NukeOnDelete
  5. Right click it and set the key value for NukeOnDelete to 1

Scheduled Task to Zero out unused disk space – As I mentioned above a deleted file only insures that there is a _chance_ the file will be overwritten.  If you run the below command it will zero out all unused disk space which _should_ be good enough to prevent file content recovery. ***Note: The deleted file name will still be lying around until a new file happens to overwrite it.

>cipher /W:[directory_to_wipe]

Here’s my scheduled task: C:WINDOWSsystem32cmd.exe /c cipher /W:C:

Scheduled Task to Delete Recent Items – Even if you permanently delete a file and or use Eraser there’s a copy of the filename in your Recent directory.  I have the following scheduled task command which clears my Recent items once a day….

Task for Recent Items:

>C:WINDOWSsystem32cmd.exe /c del “c:documents and settings[username]recent*.lnk”

Task for Recent Office Items:

>C:WINDOWSsystem32cmd.exe /c del /Q “C:Documents and Settings[username]Application DataMicrosoftOfficeRecent*.*”

Eraser I highly recommend using this great freeware utility.  One of many things it does is adds a new option in your content menu to permanently delete a file and zero out the contents all at the same time.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s