Category: Anti-Forensics

Anti-Forensics, Privacy

Disable UserAssist History – Anti-Forensics

To stop Windows (Vista, 7, 8) from tracking the programs you use; > Create a new file and name for ex. disable_userassist.reg > Copy+paste the following lines into it: Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] "Start_TrackProgs"=dword:00000000Windows Registry Editor Version 5.00 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] "Start_TrackProgs"=dword:00000000 > Save the file and > Double click it, to import values into …

Anti-Forensics, Privacy

Delete UserAssist History – Anti-forensics

Windows system maintain a set of keys in the registry database to keep track of programs that executed. The number of executions and last execution date and time are available in these keys. UserAssist is a method used to populate a user’s start menu with frequently used applications. The information within the binary UserAssist values …

Anti-Forensics, Privacy

Disable timestamp for last access to a file – Anti-forensics

fsutil – Performs tasks that are related to file allocation table (FAT) and NTFS file systems, such as managing reparse points, managing sparse files, or dismounting a volume. If it is used without parameters, fsutil displays a list of supported subcommands. fsutil behavior – queries or sets NTFS volume behavior. > Run cmd as administrator …

Anti-Forensics, Microsoft Windows

Clear All Windows System Logs – AntiForensics

Clear All Windows System Logs using ClearLogs (wevtutil.exe). wevtutil Enables you to retrieve information about event logs and publishers. You can also use this command to install and uninstall event manifests, to run queries, and to export, archive, and clear logs. Development: Built on .Net Framework 4.5.1 with Visual Studio 2013. Download Page: http://sourceforge.net/projects/clearlogs/ Source …

Anti-Forensics

Clear All Windows Logs

1) Create a .bat file 2) Append the following: @echo off FOR /F "tokens=1,2*" %%V IN (’bcdedit’) DO SET adminTest=%%V IF (%adminTest%)==(Access) goto noAdmin for /F "tokens=*" %%G in (’wevtutil.exe el’) DO (call :do_clear "%%G") echo. echo Event Logs have been cleared! ^<press any key^> goto theEnd :do_clear echo clearing %1 wevtutil.exe cl %1 goto …

Anti-Forensics

Anti-Forensics – Delete UserAssist History

Windows Explorer maintains a list of frequently programs executed and shortcuts opened on a Windows machine in the UserAssist registry entries. This is achieved by maintaining a count of application use and last execution date and time in each users NTUSER.DAT registry file. UserAssist registry key : HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist Under UserAssist key there are two subkeys named, …