GigglyFox

GigglyFox Anti Forensics

Windows 10

this section will be extensive anti forensic guide for and is based on windows 10 however some of the tools may work on older versions of windows. All methods have been tested on the latest version of windows 10

Device Cleanup Tool

Device cleanup tool is important as it removes traces of any Usb drives or devices that you have had attacked to your system, from a forensic point of view a forensic expert can use this to place you at the system at the time the device or devices were plugged in

Device Cleanup

Device Cleanup Tool is available in 64bit and 32bit versions if you want you can find it on google but here is a copy of it hosted on google click here

In order for it to work run as admin and select the devices you want to remove or select them all and just right click and delete it is a important part of any privacy cleanup

Windows 10 Jumplist

The Jump-list stores recently run programs which is of interest to a forensic examiner in windows 10 it is done differently

to disable Jumplist in Windows 10 follow these simple steps

To Disable Windows Jumplist in Windows 10
Open Settings> Open Personalization> Go to the item titled Start on the left> Disable the option Show recently opened items in Jump Lists on Start or the taskbar

Windows 10 Event lots

In windows 10 from our understanding you are forced to keep event logs enabled, if you disable them by opening run and typing services.msc and then disabling the service, it disabled the WiFi so that when you next reboot your WiFi will not connect

Here is a batch script that when run as admin will wipe the event logs, we recommend using r-wipe or privazer to wipe the free space on your hard drive after doing this.

@echo off
FOR /F “tokens=1,2” %%V IN (‘bcdedit’) DO SET adminTest=%%V IF (%adminTest%)==(Access) goto noAdmin for /F “tokens=” %%G in (‘wevtutil.exe el’) DO (call :do_clear “%%G”)
echo.
echo All Event Logs have been cleared!
goto theEnd
:do_clear
echo clearing %1
wevtutil.exe cl %1
goto :eof
:noAdmin
echo Current user permissions to execute this .BAT file are inadequate.
echo This .BAT file must be run with administrative privileges.
echo Exit now, right click on this .BAT file, and select “Run as administrator”.
pause >nul
:theEnd
Exit

Gigglyfox

Copy and paste it in to notepad and save as Clear_Event_Viewer_Logs.bat and make sure its saved as all files and not a text document otherwise it wont run and then just run it. We recommend running it at startup or before you shutdown your system as you want to regularly clean these logs and they are of high evidential value to a forensic examiner

User Assist

Modifying User Assist File

The User Assist is a Registry file that keeps track of all programs that were launched at some point in a computer. To disable User Assist, follow these simple steps:

Open the Run by pressing the Windows Key + R shortcut combination. Now type in regedit and press Enter to launch the Registry Editor.
Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\ CurrentVersion\Explorer\UserAssist.
Now collapse both of these keys and delete the Count folder:
(a) CEBFF5CD-ACE2-4F4F-9178-9926F41749EA
(b) F4E57C4B-2036-45F0-A9AB-443BCFE33D9F

to view you userassist files use this free utility

http://www.nirsoft.net/utils/userassist_view.html

if you have deleted the user assist then the utility will not show any entries

Disable Last Access Log

The Last Access log allows people to view the last opened, modified and closed files and folders. Needless to say, if you want to remove your traces from Windows 10, you should disable it.

Open Command Prompt on your computer.
Type the following command and execute it: fsutil behavior set disablelastaccess 1
Now restart your computer to make the changes permanent

File Explorer History

Clear File Explorer History

Windows 10 maintains a detailed record of your entire activity in its repository. Clearing up this history is quite easy.

here is a batch sctipt to wipe such history

Del /F /Q %APPDATA%\Microsoft\Windows\Recent*
Del /F /Q %APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations*
Del /F /Q %APPDATA%\Microsoft\Windows\Recent\CustomDestinations*
REG Delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU /VA /F
REG Delete HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\TypedPaths /VA /F

Gigglyfox

Windows Timeline

Windows Time line is another feature that logs your activity on your computer but its really simple to disable and clear

First go to Settings> Privacy> Activiry History (on the left) and click Clear under Clear Activity History and then uncheck all the ticked boxes that say Let Windows Collect my activities on this pc and uncheck the sync to cloud option

You can also disable Windows Time Line / Windows Timeline using registry

How to disable Windows Timeline using resgistry
Use the Windows key + R keyboard shortcut to open the Run command.
Type regedit, and click OK to open the Registry.
Browse the following path:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\System
Right-click the System (folder) key, select New, and click on DWORD (32-bit) Value
Name the key EnableActivityFeed and press Enter.
Double-click the newly created key and make sure its value is to 0. Right-click the System (folder) key, select New, and click on DWORD (32-bit) Value. Name the key PublishUserActivities and press Enter. Double-click the newly created key and make sure its value is to 0. Right-click the System (folder) key, select New, and click on DWORD (32-bit) Value. Name the key UploadUserActivities and press Enter. Double-click the newly created key and make sure its value is to 0.

After completing the steps, restart your computer, and Timeline should now be disabled. Open Settings> Privacy> Active

How to Delete Timeline History

  • Press CTRL + Alt + Delete from your keyboard to get TaskManager. You could also right click on taskbar, and select TaskManager option.
  • Go to the Services tab, find the CPDUserSvc_7059ce service
    (note that the CPDUserSvc_ might have a different number on the service than 7059ce, as it seems to differ from system to system)
    and right click on it, and choose Stop option from menu.
  • Open the File Explorer, click on the View tab, and check on the Hidden items box in the ribbon.
  • Navigate to the location of the data for the below:

%userprofile%\appdata\local\ConnectedDevicesPlatform
Go inside the ConnectedDevicesPlatform folder, and there are many sub-folders from there.

  • You need to open one by one and check which one includes the ActivitiesCache.db file

Once you find ActivitiesChache.db and all the other files contained in the folder, then use use R-wipe, privazer or some other secure deletion software to delete them one by one

Windows 10 Network Address Randomize

Widows 10 has a new feature if your network adapter supports it and it randomizes your mac address this neat new feature is featured in Windows 10 now

Use random hardware addresses

There’s two controls for using random hardware addresses—one is for all Wi-Fi networks and the other is for the specific Wi-Fi network you choose. When you turn it on for all networks, random hardware addresses are used while your PC scans for networks and connects to any network. When it’s turned on for a specific network you choose, random hardware addresses are used the next time you connect to that network.

Use random hardware addresses for all networks:

    Select the Start button, then select Settings > Network & Internet > Wi-Fi .

    Turn on Use random hardware addresses.

Use random hardware addresses for a specific network:

    Select the Start button, then select Settings > Network & Internet > Wi-Fi > Manage known networks.

    Choose a network, then select Properties and choose the setting you want under Use random hardware addresses for this network.

This is a handy feature and when you connect to a public wifi or any wifi network it is possible that people can either scan your mac address and log it or the router to log it by default, this is a problem if you are using a public or open wifi for activism because if you give away your original mac address and your system is taken for analysis then they can prove that you connected to the said network. Changing or spoofing your mac address is the way to go if you want to maintain privacy.

Alternatively there is Technitium MAC Address Changer a freeware mac address changer.

Windows 10 Thumbnail Cache

  • Press “Windows key + X” and click on “Control Panel”.
  • Double click on “Folder Options”.
  • Click the “View tab”.
  • Uncheck the following option, “Display file icons on thumbnails”.
  • “Always show icons, never thumbnails”.
  • Click on Apply and OK.

Windows 10 MUICache

Windows 10 Muicache stores a list of run programs

To delete it simply create a batch file and run it every time you need to clean it using this script.

open notepad and enter

reg delete “HKCR\Local Settings\Software\Microsoft\Windows\Shell\MuiCache” /f

Save it as muiclean.bat and run it as admin

AppCompatFlags

This is very important and difficult to find but we aim to please

The New location of AppCompactFlags is here

reg delete “HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store” /f

to delete AppCompatFlags, make a batch file using this code

reg delete “HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store” /f

save it as Flags.bat and run it as admin

AppCompactFlags stores a lot of information about the programs you run

after you wiped both AppCompactFlags and MUICache use Nirsoft Executed Program List to confirm the program run history is deleted

Old location in windows

Registry Key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted

Registry Key: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store

Persisted seems to be either removed or redundant in windows 10

ShimCache

ShimeCache stores information about application compatibility

To delete Shimecache we use another Batch Script (You know the drill by now) save as a batch file and run as admin, if you don’t run as admin the logs will not be deleted

reg delete “HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache” /f

Amcache Aka Amcache.hv

Amcache Keep logs of every executable run, full path information, File’s Standard Info Last Modification Time, and
Disk volume the executable was run from• First Run Time = Last Modification Time of Key

This one is possible to securely wipe but tricky and a little time consuming but don’t let that put you off

First you want to enter safe mode by

Pressing the Windows logo key + I on your keyboard to open Settings. If that doesn’t work, select the Start button, then select Settings .
Select Update & Security > Recovery.
Under Advanced startup, select Restart now.
After your PC restarts to the Choose an option screen, select Troubleshoot > Advanced options > Startup Settings > Restart.

After your PC restarts, you’ll see a list of options.
Select 4 or press F4 to start your PC in Safe Mode.
Or if you’ll need to use the Internet, select 5 or press F5 for Safe Mode with Networking.

While in safe mode go to %systemdrive%\Windows\appcompat\Programs or C:\Windows\appcompat\Programs

To securely delete it you want to right click and wipe it using r-wipe in the context menu or just delete this file in Privazer or any secure wiping software.

Next (This step is important do not skip this step as its important

open up notepad and make sure the notepad is blank/empty (no text) and save it as Amcache.hve and hit save (I have already done this so the file is my Amcache.hve is there in the screenshot)

once you save it, it should be 0 bytes, when you reboot your system there maybe a few bytes written to it, however if you want to wipe it, you have do this every time you want to wipe it, when I have some time I will look in to creating a tool that will automate this.

The difficulty with Amcache is the fact that the system locks this file and the only way to delete it that we can find securely, is by using this method

We could find no other websites that had this information and this method has been tried and tested on the latest windows 10

Erase Windows Recent Items

Save & Run this batch script to erase Windows Recent Items (Run as Admin)

del /F /Q %APPDATA%\Microsoft\Windows\Recent*
del /F /Q %APPDATA%\Microsoft\Windows\Recent\AutomaticDestinations*
del /F /Q %APPDATA%\Microsoft\Windows\Recent\CustomDestinations*
taskkill /f /im explorer.exe
start explorer.exe

Then overwrite the free space on your hard disk using r-wipe or privazer

Windows Background Activity Moderator (BAM)

Its a bit of a mouth full but Windows Background Activity Moderator BAM for short – Provides full path of the executable file that was run on the system and last execution date/tim

you will find it in the registry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}

Type run enter regedit and hit enter then navigate your way here HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam\UserSettings\{SID}

your SID is a random numbers and may look like this S-1-7-29-384728201-328387201–453627298-1001

once you locate your SID folder there will be entries similar to this

Delete all of the entries that start with \Device\ to delete you BAM history by right clicking and select delete on each one or a quicker method is to just use a batch script (Run it as admin) or run CMD as admin and enter the code

reg delete “HKLM\SYSTEM\CurrentControlSet\Services\bam\UserSettings\YourSIDGoeshere” /f
timeout /t 6

if this doesn’t work then try running regedit using RunAsSystem which you can find here or here then use run as system to run regedit (location of regedit %systemdrive%\Windows\System32\regedt32.exe) then I am afraid you will have to delete each entry one by one.

How to possibly disable BAM? this might be risky but we have tested it on two windows 10 systems and it didn’t seem to cause any issues for us

Run regedit and go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\bam here you will see a DWORD called START which is set to (1) set it to (0) and save and restart your system and this will disable BAM – BAM is nasty and its purpose is to help forensics experts see where and when you run programs.