Anti-Forensics: Increasing the Complexity and Cost of Digital Forensics

The purpose of this guide is to give a layered approach to avoiding digital forensics methods as well as actions to avoid legal prosecution. In reality only a few of these methods should be enough to completely derail a forensic investigation but human error is bound to exist so it’s better to think in a layered approach in case a workaround to the method exists unknowingly.

This guide is NOT to promote illegal activity but to avoid censorship and intimidation.

Securing your Operating System:

  1. GET OFF OF WINDOWS

It’s cliche but it’s just the truth, you don’t even need to go crazy and setup Whonix or Arch Linux, just get a stable Ubuntu or Mint install. Choose the option to encrypt the entire disk, create a strong password, enable UFW (Uncomplicated Firewall) and deny all incoming connections. Put in a startup script for macchanger to generate a new mac address on each boot: https://linuxconfig.org/change-mac-address-with-macchanger-linux-command

Install Firefox, change the privacy setting to delete history, cookies, cache every time you close the browser, and install the noscript plugin to stop scripts from running on websites you visit that could possibly have exploits.

Securing your Internet Connection:

When creating accounts to buy and use a VPN, make sure you have a spoofed mac address and are on a public hotspot. From there you can make email accounts from ProtonMail. Generate random usernames and passwords and DO NOT REUSE ANY!

Buy a VPN using cryptocurrency funds:

You can buy a reliable VPN like NordVPN using Monero which is a cryptocurrency focused on privacy of the transaction. Using a cryptocurrency like bitcoin can be tracked back to you through wallet addresses, but still is miles better than using a credit card. If you need to use bitcoin or another alt-coin you can buy cryptocurrency from Coinbase and send to a personal wallet address, pay from that wallet and delete the traces of having that wallet. You want to find a VPN provider that has a track history of having no logs even when subpoenaed by law enforcement and is not located in the US. NordVPN works well because they are situated legally in Panama.

Physical Security at home:

Login to your router, change default passwords, disable wireless if possible, change the DNS servers to CloudFlare (1.1.1.1 primary and 1.0.0.1 secondary) or another DNS provider that respects privacy. You want to do this so if you have DNS lookups that leak from your VPN they do not go to your ISP (DNS leak protection is also a feature most VPN providers have).

Layered encryption:

In addition to your full disk encryption you want a second layer of encryption for sensitive files. Use the built in gpg encryption through the terminal. If it’s a directory run “tar czd mydirectory.tar.gz mydirectory/” to turn it into an tarball.
To decompress do: “tar xzf mydirectory.tar.gz
Then generate a private key with “gpg –gen key” give a name to sign it with (use an alias), you can leave the email address blank, give a strong password that has not been used already. This will generate a gpg pub and private key under the alias username you gave it.
When you want to go and encrypt a file do “gpg -e -r ALIAS fileName
To decrypt the file do “gpg -d -o ALIAS fileName“, this will then prompt you for your keypass and decrypt.

Two factor authentication for login and sudo:

Digital Ocean has a good guide on this for Ubuntu 18.04: https://www.digitalocean.com/community/tutorials/how-to-configure-multi-factor-authentication-on-ubuntu-18-04

Setup a BIOS/Supervisor password:

This keeps the examiner from being able to use your PC to boot into a live USB for forensic analysis. Most of the time these passwords can be removed fairly easily but slows down the process and an inexperienced examiner will run into trouble and possibly break protocol or accidentally destroy evidence. They won’t be able to examine the hard drive anyways if it has full disk encryption.

Using TOR:

Make sure your TOR is always up to date with the latest security patches. Open up TOR settings and make sure the security settings are set to their highest since this disables JavaScript which has been exploited before in a project to de-anonymize TOR users.

  • Always connect to TOR over a VPN.
  • Never maximize your resolution in TOR since your resolution can used to identify you.
  • Never login to personal accounts over TOR.
  • Never create usernames that you have used over the clearweb before or contain identifying info about you.
  • Create multiple Aliases and never reuse them.

Shred files instead of deleting them:

When you want to delete a file and make sure it is not possible to recover you can do “shred -v -n 25 -z FILEPATH/FILENAME” this will write over the file 25 times then hide evidence of it being shredded. Also make sure to delete bash history so it can not be seen that you used the shred command. You can do this with “history -c” or to be safe you can make a crontab to delete them. Do “sudo crontab -e” choose whatever editor you prefer then add the line “0 1 * * * cat /dev/null > ~/.bash_history” this will overwrite your bash history everyday at 1 am.

Advanced: Raid 0 setup with 3 disks

If you have a motherboard with hardware RAID capabilities you can setup 3 disks in RAID 0 then install a linux distro on the 1 logical volume. This spreads data across three disks, examining one disk (especially if it’s encrypted) is arguably impossible. This increases cost for digital forensics because just removing all three disks from your PC requires the examiner to have the same RAID controller in order to access the RAID array.

Leave a Reply

Your email address will not be published. Required fields are marked *