lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Wed, 26 May 2010 01:25:25 +0545
From: Bipin Gautam <>
To: full-disclosure <>
Subject: Stealthier Internet access

Following is a linkedin posting from a discussion group. This is just
a random note for archive purpose. I lack interest to write this
article in details. The article and content are of poor quality so
ignore...... :)


Stealthier Internet access

I wrote a small tutorial on something related. This doesnt reflect
anything update topics or cover any current knowledge or belief. I
lack the motivation to improve it so for the curious few, here is it;
[On Wed, Feb 20, 2008]

On Wed, Feb 20, 2008 at 11:45 PM, Bipin Gautam <[EMAIL PROTECTED]>

> Firstly, please don't expect this reply as a walkthrough on the
> topic... just a small push in the right direction to the curious few,
> if any. As said earlier, this topic is very vague and beyond the scope
> of this text for an in-depth explanation.
> Nevertheless anonymous and secure communication in the world today is
> still possible, it's just that the bar has been slightly raised… ;)
> Rule 1: hide everything you can, best you can all the time and of
> create decoys in things you are intentionally revealing…
> Let's begin:
> Topic: Anonymous Communication (web, mail)
> 1). Os of choice
> a). anonymos-shmoo.iso, live CD. It is a hardened OS and transparently
> tunnels all your communication via TOR.
>  OS in r/w medium it leaves back track of your activities in details
> in the storage.
> b).Check and disable self updating components (softwares, plugin etc)
> in your OS that might bypass proxy rules, leak confidential
> information. It includes disabling self updates from your hardware
> firewall. At OS use application level firewall. Use snifters to
> monitor your tools of choice over time and ensure they are following
> proxy/vpn rules.
> 2). Place/means
> a).behind NAT. better someone else/different MAC address, auth, IP
> b). Free hotspot : hotel, office, …..?
> c). Cyber, public computer
> If it's not the place you own, better.
> Check for cctv or other logging / monitoring device around. Appear
> common. Too many unfamiliar screens on your computer screen draw
> attention of side by. Get the idea…
> Technology:
> Consider chaining anonymous technologies listed below (google about it
> in details). Always insure 1 or few layers of encryption on content
> you are trying to hide using different tools that follow different
> protocols and use different encryption algorithm to secure your data
> as you may not want to relie the confidentiality of your entire
> procedure on the strength/weakness of just one tool, one protocol and
> one algorithm. Is performance and work overhead of using these
> multiple layers worthwhile?
> If you are selecting multiple encryptions and hashing algorithm make
> sure your choice is redundant… i.e. don't just use algo approved by
> American standard, consider using European standard as well (eg:
> Whirlpool hashing algorithm adopted by NESSIE, SHA512 American
> Standard, NIST.
> Rijndael (latter to be chosen as AES) was chosen over Serpent (despite
> added security in serpent) for performance reasons. Though both
> algorithm are similar and has no known attack that has broken them
> till date. You may want to use other algorithms as well. In properly
> designed software encrypted output doesn't leak the name of algorithm
> used to produce the content which means attacker can just assume
> tools, protocols and algorithms used to produce the content to start
> brut forcing. Considering 'just this fact' as stated above Truecrypt
> is better over PGP disk encryption suit.
> Make sure to hide trivia things like file extensions, meta-data,
> timestamp (?) even with encrypted output.
> -For some ssh tunnel to the private mail server listening on loopback
> to access gpg encrypted mail is enough security... but it might not
> guarantee enough anonymity. Route your traffic through f2f and TOR and
> proxy chaining. Use port knocking to temporarily redirect port 80 to
> 22 locally(example) so that you can access port 22 via proxy chaining
> will add a layer of anonymity. Think creative.
> Research on these terms:
> -F2F network (example: Freenet, anoNet)
> -TOR (run in server mode if you use it too often, some plausible
> deniability feature as it is difficult for the attacker to insure if
> the traffic being transmitted is generated locally or being relayed
> from another node)
>        TOR servers don't relay standard SMTP traffic by default. But many
> mail providers/ servers listen to different except the standard.
> -Proxy Chaining
> -Open SMTP relay, have email account on servers in third world
> -Open Proxy Servers
> Though above technologies are vulnerable to traffic analysis from
> observers who can watch both ends of a user's connection and it has no
> defend against timing analysis.
> If you can enforce a particular routing of your data across
> predetermined servers, better. Though routing table can change often.
> Its better if you can insure your anonymous data is routed across
> several countries with different legal and political jurisdictions
> (rivals!.... better ;)
> Establish strict protocol between sender and receiver in a way... what
> to use to communicate, how to use, in what order and change it every
> few month including secret key, private/public key, passwords etc and
> medium and pattern of communication including changing of email
> address etc. Destroy everything you send/receive unless NECESSARY to
> store.
> -Data destruction would mean shredding the storage medium to not
> larger than 1mm and smelting (NIST standard for secure data disposal)
> -Software disk Wiping:
>  Wipe KEY, header of your encrypted storage volume (first few mb, ref
> specific manual) Ref using Peter Gutmann standard of data wipeing (35
> wipes)
> And wipe entire storage using U.S. DoD 5200.28-STD (7 wipes)
> OS keep multiple copies of partition header and store it in different
> places of hdd to insure recovery incase of data corruption, virus
> infection etc. This fact depends on the file-system use. (ref FS and
> OS specific manual)
> Avoid solid state memory for data storage when possible, prefer
> magnetic storage.
> Note: Though, pen drives (solid state memory) can be quickly hammered
> to pieces and flushed. They are economically very cheap too. Your
> choice of cost vs level of security for data disposal depends on what
> is the value of information you are trying to hide and how far would
> you go to assure what are you trying to accomplish?
> Don't choose passwords that matches with your interests, backgrounds,
> music, bike, sports, quotes etc This information can be used to create
> specific password dictionary for brutforce.
>  Using password (something you know) + key (something you have)
> better. i.e. two ways token for authentication.
> Some ideas generating/using a secure key:
> •       Generate SHA hash and MD5 hash of two-three secure passwords that
> is
> easy to remember and XOR it simultaneously, then append or delete some
> characters on the output. Use this final output as your password.
> •       Or how about using hash of Google's logo as password starting from
> byte x to byte y… (avoid file headers, footers) If the logo of the
> search engine changes ref search engine cache, etc ;) This
> way you have a secure key but you don't have to store it locally.Just
> remember few things.
> Get creative about choosing your password. See, you can easily create
> passwords easy to remember but difficult to predict/ brutforce. Be
> cautious while choosing a key/password. If a attacker cant attack a
> design flaw he second thing they will try to attack is the key.
> -       WASTE (ref unofficial release) it is a chat and file sharing f2f
> network and support some degree of anonymity even on standalone use.
> It has the some capability of evading Traffic Analysis by masking the
> channel by sending dummy encrypted traffic keeping the channel 100%
> busy.
> Using different browsers per unique work is good. Say, using safari to
> access web mail and online transaction, internet explorer for trusted
> site, firefox for regular searching, and opera for browsing etc.
> Maintaining separation of duties per browser ensures cookie
> information even when leaked can be confined to particular
> work/interest.
> Embedded contents like audio, video, flash, pdf, docs, java, js,
> exploits :P may-or may not follow proxy rules. Some applications cant
> be forced to follow proxy rules. They leak vital and unique
> information about your system, browser activity and internal network.
> So know what you'd installed, know what is running. Tracking plug-in
> and their activity can be difficult so be it for your browser, or your
> media player or your word processor or your IM.
> Example how anonymity breaks:
> Suppose you are searching something anonymously in google and
> meanwhile you logon to your GMAIL that has your actual identity. Now
> your web search, this gmail account, and the webpage you visited from
> Google add sense can all be tied to point a single person, you! The
> anonymity of your activity is blown right away.
> Further your web browsing patterns, your topic of interests,
> bookmarks, time you come online, internet speed, browser and OS
> fingerprint, plugins and features your browser support, your
> language/interest pattern etc can all serve as a intelligent
> fingerprint REGARDLESS OF YOUR IP address and you can be tracked
> uniquely in the internet regardless of the IP.
> Clear cookie, cache as you close your browser window, clearing all
> cache is necessary, not just cookie as they can have capabilities as
> that of cookie. Disable auto reloading content, advertisement etc
> Things as such, messenger (away in 5 minutes of interactivity)
> behavior etc can leak your uptime, bandwith utilization etc!
> ( (ask eraser), customize google plugin, noscript)
> Another example:
> There are browser plugins, tools… that can be use to change your user
> agent but BAD thing about using such tools are instead of hiding your
> identity they make you stand like an ostrich in swarm of crow.
> Let me explain, suppose opera released critical update to all versions
> of its browser today so most of the computer user that are online with
> opera browser is sure to auto update their browser within few weeks...
> but as you are just changing your user agent appearing as some version
> of opera you will stand infront of intelligence analyst like a
> gentleman appears to be using opera but your user agent dates back to
> opera released 3 year ago, unique features of browsers indicate you
> are forging user-agent using patterns of tool x that has opera user
> agent with version y hard coded which you are using. Further, an
> attacker can know what plug-in your browser supports and what browser
> specific features you have disabled combination of all intelligence
> analysis data can create a unique fingerprint making tools you used to
> be more anonymous, more secure backfire and these information can be
> used by the attacker (Big Brother?) to instead create a unique pattern
> of your identity makes you less anonymous even if you are able to use
> different IPs all the time.
> Real IP is something that can be associated to you if discovered. But
> if you use anonymous technology haphazardly you give away unique
> identity/behavior pattern that can be as good as obtaining real IP
> information. Know to strike the right balance… or am I being too
> paranoid?
> See, Intelligence analysis is very hard to fool.
> Anonymous email:
> 1). Encrypt and base64 encode the content securely to guarantee
> point-to-point (p2p) confidentiality.
> 2). While sending and receiving email, force the final output to be
> read as ASCII as text format can be OS specific: DOS (CRLF), UNIX (LF)
> and Macintosh (CR) which can leak your OS. Grammar and spelling
> correction in text can be analyzed to know which version of word
> processor is used to create it; it can leak OS specific information
> even with normal plain text!
> 3). Re-mailers
> Google: Mixminion /mixmaster /Cyberpunk remailers
> Basically, they route you email through several mail relay servers of
> your choose striping headers that can leak the source of the email as
> they pass by from one server to another. They provide feature of
> redundancy that can assure delivery of email to higher degree and
> employ random delays and random message padding before forwarding
> message.
> Notes:
> - Don't trust the server blindly assuming they will guarantee your
> anonymity needs. Operators have to comply with local law all the time.
> Assume, they can be monitored, logged, hacked and bugged. Use other
> intermediate means of anonymity before you choose to these services.
> - Keep message size normal.
> -consult re-mailer statistics sites to know about history of the
> operator, security track record of the OS they use, country in which
> these servers are situated etc
> 4). User should take great care stripping meta data while emailing
> images, audio, video files, documents etc as they may embed and store
> information within them about the user or system that created/modified
> the file. This information can be retrieved when transmitted and can
> be uniquely associated to you.
>  Like, they might store and leak registered Unique IDs of a product
> that created the content, embed your hardware serial number (like
> Ethernet MAC address CPU info etc) this information can be used to
> track you down to a country or region where the particular sales
> happened. Microsoft Windows Activation, Microsoft Office… infamous
> example.
> 5). Technologies as f2f network, open proxies that cross different
> geographical boundaries etc can be chained together so that you can
> relay your communication through open smtp relays from china :P ,free
> mail servers from third world where logging, monitoring and technical
> capabilities are primitive or you could use your own SMTP server to
> route your (encrypted) mail directly to the destination. There are
> online sites that claim to provide disposable email address for email
> delivery or retrieval.
>, (Research…)
> Example: [EMAIL PROTECTED] is common emails add. How about you write
> an article about features pookmail in dig with a test example,
> [EMAIL PROTECTED] While [EMAIL PROTECTED] gets thousand of hits you send
> your private encrypted content in that crowd for delivery to your
> receiving party, or how about using steganography and posting a secret
> content to a website/forum embedding it as pornography. This can act
> as a drop zone. The content can be retrived by the receiving party.
> Think creative… its not necessary text communication should happen
> through @email_address! You could use free file upload server to
> accomplish the same. Upload 10 files of similar size using
> steganography. Embed one video with encrypted content and rest 9
> videos just random data (decoy). The receiver who knows the key can
> easily extract the encrypted content while an attacker will have to
> try and brut force all the obtained files. Similar can be used for
> encrypted volume.
> 6). While sending anonymous email make sure trivia things like
> X-Mailer string, your time zone (GMT) doesn't gets leaked or best
> forged if intentionally leaked. Version info of encryption technology
> you use can sometime serve as a advantage to the attacker. Example,
> GPG software version you are using can leak from your Public Key.
> Conclusion:
> Anonymous and secure communication is not about just using the right
> tools and its not just about focusing on application layer, link laye
> bla… bla….:P
> It's about truly knowing what you are doing in fine details.
> Flexibility and security is always like opposite poles of a sea-saw.
> There are many of things I skipped which are beyond the scope of this
> email but this should be a good push to the curious starters. All I
> recommend you if to prioritize on is right intelligence and in-depth
> understanding of the subject matter over any tools or technologies
> because no matter what technologies you use it only stands a slim
> chance over intelligence analysis in right direction.

Browser Extension:
Customize FF: Disable all auto updates & in about:config you may want
to remove any third party urls that starts with the keyword google,
yahoo etc...

Useful Plugin: Private Browsing, NoScript, User Agent Switcher,
RefControl, Ghostery, CookieSafe, Optimize Google, Close n forget,
Better Privecy, Adblock Plus (disable plugin's autoupdate features as

 & On a related paper from EFF Published just recently we share the
similar notion.

>>From open source only rare few people like Henrik Gemal, ( ) are known people to have early knowledge
(~1999) on this topic.

May 17th, 2010

Web Browsers Leave 'Fingerprints' Behind as You Surf the Net
EFF Research Shows More Than 8 in 10 Browsers Have Unique, Trackable Signatures

San Francisco - New research by the Electronic Frontier Foundation
(EFF) has found that an overwhelming majority of web browsers have
unique signatures -- creating identifiable "fingerprints" that could
be used to track you as you surf the Internet.

The findings were the result of an experiment EFF conducted with
volunteers who visited . The website
anonymously logged the configuration and version information from each
participant's operating system, browser, and browser plug-ins --
information that websites routinely access each time you visit -- and
compared that information to a database of configurations collected
from almost a million other visitors. EFF found that 84% of the
configuration combinations were unique and identifiable, creating
unique and identifiable browser "fingerprints." Browsers with Adobe
Flash or Java plug-ins installed were 94% unique and trackable.

"We took measures to keep participants in our experiment anonymous,
but most sites don't do that," said EFF Senior Staff Technologist
Peter Eckersley. "In fact, several companies are already selling
products that claim to use browser fingerprinting to help websites
identify users and their online activities. This experiment is an
important reality check, showing just how powerful these tracking
mechanisms are."

EFF found that some browsers were less likely to contain unique
configurations, including those that block JavaScript, and some
browser plug-ins may be able to be configured to limit the information
your browser shares with the websites you visit. But overall, it is
very difficult to reconfigure your browser to make it less
identifiable. The best solution for web users may be to insist that
new privacy protections be built into the browsers themselves.

"Browser fingerprinting is a powerful technique, and fingerprints must
be considered alongside cookies and IP addresses when we discuss web
privacy and user trackability," said Eckersley. "We hope that browser
developers will work to reduce these privacy risks in future versions
of their code."

EFF's paper on Panopticlick will be formally presented at the Privacy
Enhancing Technologies Symposium (PETS 2010) in Berlin in July.

For the full white paper: How Unique is Your Web Browser?:

For more details on Pantopticlick: ...

For more on online behavioral tracking:

(Here are few basic bookmarks to improve Stealthier internet access for windows)

Scan for missing system updates (Shortcoming : Lack CLI Version)

The Secunia PSI is aFREE security tool designed to detect vulnerable
and out-dated programs and plug-ins which expose your PC to attacks.
Microsoft windows Fixes 16 year old vulnerability, ref its migration section
(Harden Windows to Minimum configuration)
nLite allows you to customize your installation of Windows XP, Windows
2000, or Windows 2003. You can integrate service packs and hotfixes.
Bart's Preinstalled Environment (BartPE) bootable live windows CD/DVD
Preventing USB devices spreading viruses

Change permission of driver folder and critical autorun registry
entries to everyone:R (cacls, regedit)
Easy software to prevent windows listening in 135,445,137-139, UPNP
and Messenger ports)

Anti Keylogger Test
Here are a few bookmarks, that readers might want to further explore:

(Windows checks for digital signature of executing installer revealing
installation of a specific software on the user system to
Certification Authority like Symantec compromising privecy, never
trust CA blindly, cert from public CA is week security )
(Basic Monitoring) (Autoruns, Process Explorer,
TCPView , ShareEnum)

Startup Programs and Removing Them
Use anonymous computer/netbios name while OS setup and during software

Disable Unnecessary Windows Services (disable SSDP/UPNP, windows
client, auto update, bits, system restore, remote registry, windows
time, tcp over net bios, windows, indexing, help and support etc)
Use application isolation, and use software restriction policy in
sandbox dir
Prefer using portable application in jailed, user privilege only,
locked down read only mode.
Use third party manual software uninstaller to monitor registry and fs
modification over time.
Free Antivirus :
Online Antivirus scanner

Online Port Scanner (To check your firewall leak from outside)
QEMU, dont use virtual machine acceleration. Use User mode emulation
and run the guest OS from limited privilege and emulate your guest os
on other architecture EXCEPT X86 cpu emulation (or architecture
distinct to host OS) in the VM for added security/delay attack?

QEMU is able to not just emulate a full system, but also to run a
normal program that was compiled for another architecture. This is
done when it cannot be recompiled because the source code is
unavailable, or when the program's architecture does not permit
running it under all architectures

* free, fast-booting Linux distros that aren't Chrome OS
(Recommended: Mobin, Jolicloud)

Google Chrome OS follows Good security practice, But the OS has a Bad
privecy trackrecord)
Packet Capturing Tool:
Core Force was best personal firewall for windows.

Untangle provides a powerful suite of Internet management applications
for small-to-medium businesses and education institutions.
Do web facing activity inside VM, still a tutorial on stealthier
internet access from windows OS is beyond the scope of this text.

In other news, DARPA looks for stealthier Internet access

In particular, DARPA is interested in technologies that “allow
anonymous Internet communications to bypass techniques that suppress,
localize and/or corrupt information.”

The technologies the Defense Department is interested in circumventing
include IP-address filtering or "blocking," which can deny user
access; Domain Naming Service hijacking, which redirects a user to a
different Web site or service from what the user intended; and content
filtering, which captures and analyzes the content of the user's
network traffic through deep packet inspection.

The Safer Warfighter Communications (SAFER) program (DARPA-BAA-10-69)
covers applications such as instant messaging, electronic mail, social
networking, streaming video, voice over IP and video conferencing.
DARPA’s particular technical areas of interest include measurement,
circumvention and testbed and evaluation support.

However, these same tools could also be used by “those determined to
get around measures designed to thwart copyright violators and
extreme-porn aficionados,” wrote Lewis Page in a story posted by U.K.
publication The Register.

Non-Classical Computer Forensics

Windows Forensics/Antiforensics is another important topic which is an
ocean on its own but sadly beyond the scope of this text. ( )

Anti-Forensics Intro
Lack of evidence also evidence
Magnetic Storage
Hard Disk
Data Hiding
Bad Cluster
Negative Disk
Slack Space
Alternate Data Streme (with examples all)
ATA-3 mode
Data Wipeing
ZIP drive and Floppy Disk
Recording and wipeing

Solid State Memory
Error Levelling

Cryptography (30 Pages least,
Digital Signature, executable file
Bruteforce, other backdoor/program flaws (random no gen, key initilization etc)

File/Disk Encryption
Encrypted hdd
PGP Disk
True Crypt
openssl features
FUSE (user land file system)
Firefox Browser plug-in for file encryption.

Remote Storage
File Hosting Servers
Remote Backup Servers
Web Hosting

Undelete Data

Secure Data wipeing
Quick Erase
Disk and Memory
dd, shred.exe, bcwipe, floppy auto wipe hdd (tool)
Hibrination File, Page File, NTUSER.dat, REGISTRY, Temp directory
Internet/Email History
Discuss all popular Browsers
Slack Space


Meta Data
EXIF description

Document File (PDF/DOC)
Meta Data
Revision history
MAC in document from Computer of origin

Other file Format
DRM, Call back Home
Propwrity Formats

Water Marking
Harrypotter book Example

Picture,Audio, Video, Executables(-ve operation)
Covert Channel TCP/IP and more


Cellphone Forensics
Mobile Logs, data, SMS, Communication, Tracking/Location,
IMEI, SIM,Enctryped SMS/MMS, Wipe Mobile OS, Prepaied SIM,
Change IMEI Mibile through software/hardware, tools etc


 Some software in the OSS that are Rugged/Modular Designs.

Applications like Sumatra PDF Reader ( ), multi messenger
clients like,, as download manager,,
to handle office documents, should be run inside a VM whenever
possible. Questionable documents from third party should be opened as
google cache (If publically accessible web document, Syntax "cache: ", or mailed to yourself in the gmail
and viewed as html or in google docs)

Documents from Multiple file formats can be converted and viewed
online from just browser. Like google on "Online PDF to HTML
Conversion". Even, Audio and video file from untrusted source can be
equally dangerous. You can normalize such attack by first uploading
such audio, video or document files on an intermediate service
providers for online file format conversion. They provide free
services to convert say flv encoded received information to .wmv
output and viewed as wmv instead. There are plenty of web services
that provide such facility. The output file wmv should be opened
instead of the original flv. Files received from third untrusted party
should only be opened after such normalization to migrate attack
vectors. anti-virus (very buggy) as manual av scanner, to handle archive are also nice tools.

IMPORTANT: When you are done with "experiments" and have settled on a
preference. Create a checklist of your knowledge and start a CLEAN
configured installations of your OS.

A free open source disk imager

How many hours did you spend in setting up your Windows system?
Setting up the operating system, installing programs, customizing to
your personal needs. Do you want to be protected against hard disk
failures, viruses or other malware? Just restore your system within
minutes. Why spend money for a commercial solution? ODIN supports
snapshots can be run from command line or with a GUI and runs on
32-Bit and 46-Bit operating systems.

(Latter, when you restore the image run one time update on all
software and installation modules from previous backup to assure
latest protection via manual automatic updates. )
Move on from Antivirus to Application whitelists solutions:

(Windows XP Security Checklist)

Windows Secure Build Checklist

DoD General Purpose STIG, Checklist, and Tool Compilation CD

Windows XP Baseline Security Checklists

Checklist: Securing your computers using Security Configuration Manager


[This is IMPORTANT ] For the audience who are experiencing the 'Avatar' blues...

So, if you are you are experiencing Windows Blues with these new tools
and its LOOKS? Here is a little therapy...

So if you are experiencing 'Windows Media Player' blues, you can
always do a makeover of VLC Player with Windows media player like skin

There are also, "MSN Messenger like" skin for Miranda & Pidgin IM, to
get over MSN Messenger Blues.

To get over IE blues, you can Make Firefox Look Like Internet Explorer 7

Ok, finally to use Linux that looks like Windows, but secure... there

FF: Search-engine auto suggest, block "reported attack website" and
"web forgeries" check are bad features from privecy prospective.
Recommendations: Delete Inbuilt zip manager & wordpad like softwares
using nLite or XPlite ( )

Here is a customized_nlite_session for you as a sample for a jump
Have you ever wanted to remove Windows components like Media Player,
Internet Explorer, Outlook Express, MSN Explorer, Messenger... How
about not even to install them with Windows ?

nLite is a tool for pre-installation Windows configuration and
component removal at your choice. Optional bootable image ready for
burning on media or testing in virtual machines. With nLite you will
be able to have Windows installation which on install does not
include, or even contain on media, the unwanted components.


Disable send of AV quarentine file and fs scan report to av vendor.
They leak your OS directory structure.

Map your Desktop and my document folder in encrypted truecrypt volume,
truecrypt full hdd encryption or use segate encrypted hdd.
Program used to create one's own CD, with all the personalizations one likes
The main feature being the inclusion of anonymity and security tools
such as Tor by default.

Cygwin is a Linux-like environment for Windows.
Windows Volume serial number:

forensic analysis of windows registry:

Registry Quick Find

Registry Viewer
picture forensics:

Vinetto is a forensics tool to examine Thumbs.db files.


Windows uniquely logs Mounted USB Devices by hardware SSID. It is used
to identify if a pendrive / usb device has been inserted in a computer
or not.

Delete USB Device History from the Windows Registry (USBSTOR key) and
the setupapi.log
Preventing SSL Traffic Analysis with Realistic Cover Traffic

In your emil client, disable automatic display of picture as
attachment and disable html email

third-party closed source device driver are security issues
Change your online nick/identity often
AtomicParsley is a lightweight command line program for reading,
parsing and setting metadata into MPEG-4 files supporting these styles
of metadata:
iTunes-style metadata into .mp4, .m4a, .m4p, .m4v, .m4b files
3gp-style assets (3GPP TS 26.444 version 6.4.0 Release 6 specification
conforming) in 3GPP, 3GPP2, MobileMP4 & derivatives
ISO copyright notices at movie & track level for MPEG-4 & derivative files
uuid private user extension text & file embedding for MPEG-4 & derivative file

DocuColor Tracking Dot Decoding Guide

FTC Investigating Privacy Risks of Digital Copiers

use "isoinfo" in linux to get any forensic info left in a CD

Nero keeps log of burned cd at: \Program Files\Ahead\Nero\NeroHistory.log
It contains info about the Physical memory, CD burned, CD size,
hardware device used to burn the cd etc

Burning CD and DVD can leak your CD/DVD hardware Manufacture Information:

CD-R Manufacturer Code

CDR ATIP Reader read information from CD-R/RW media ATIP section and
output it for user in raw binary data view, in fields values view and
in translated view. That information can contain media manufacturer
name, disc type and additional information.



HSF54  >> Radio Frequency / Microwave / EMF Shielding Paint <<


Visualizing Online Social Networks

Inferring and Visualizing Social Networks on IRC

Protecting Secure Facilities with Sound Masking
(Only communication in either plain text or encrypted)
Removing Sensitive Data from Documents (Microsoft Word/Excel/ppt, pdf)

Microsoft Word Metadata Scrubber

Open office:

(Anti forensic)


Steganography & Data Hiding - Links & Whitepapers :

Steganography, Steganalysis, & Cryptanalysis

NTFS hidden data analysis:
Password Recovery Speeds
This document shows the approximate amount of time required for a
computer or a cluster of computers to guess various passwords.

Full Disk Encryption: What It Can And Can't Do For Your Data

Darik's Boot and Nuke
("DBAN") is a self-contained boot disk that securely wipes the hard
disks of most computers. DBAN will automatically and completely delete
the contents of any hard disk that it can detect, which makes it an
appropriate utility for bulk or emergency data destruction.
An Overview of Steganography for the Computer Forensics Examiner

Pentagon sets its sights on social networking websites
“I AM continually shocked and appalled at the details people
voluntarily post online about themselves.” So says Jon Callas, chief
security officer at PGP, a Silicon Valley-based maker of encryption
software. He is far from alone in noticing that fast-growing social
networking websites such as MySpace and Friendster are a snoop’s

I Spy : Amateur satellite spotters can track everything government
spymasters blast into orbit. Except the stealth bird codenamed Misty.
spy satallites in sky: For America, having others know the precise
time its eyes will be overhead poses a huge strategic problem. India's
nuclear tests in the Rajasthan desert in 1998 caught US intelligence
unawares because the Indians had ascertained the orbits of US
satellites and hid their operations accordingly.


Application Whitelisting: Allow Known Good to Prevent the Bad

In the days following the recent IE vulnerability (Aurora) attacks,
Gartner’s Neil MacDonald advised, "Application whitelisting at the
endpoints would have stopped these attacks." Shortly after, companies
targeted by this attack chose Bit9 – named 2010 Technology of the Year
by InfoWorld – to protect their systems.

A Microsoft Word document of SCO's suit against DaimlerChrysler, seen
by CNET, originally identified Bank of America as the
defendant instead of the automaker. This revision and others in the
document can be seen through powerful but often forgotten features in
Microsoft Word known as invisible electronic ink.
A feature in the word-processing software tracks changes to documents,
who made those changes, and when they were made.

Geotagging invades Privacy (Flickr, Twitter, Facebook, Pisica all bad ):
The prices for GPS receivers have eroded. Even my iPhone has one
already built in. It takes photographs and automatically attaches GPS
data. Jobo and other accessory makers have developed GPS receivers
that record a location every time you press the shutter release button
on your camera, allowing you to combine them later on your PC. For
several years, I used to carry a small Garmin GPS, recording track
logs and using programs like JetPhoto Studio, Google gpicsync or
Microsoft Location Stamper to put the GPS data into my digital files.
Geotagging is now a mainstream technology and is more popular than

How to Geotag Your Photos :

Privacy nightmare: Geotagging in Twitter goes live
Cropping Pictures with Adobe Photoshop Can Be Dangerous

Photo Studio
Photo Studio is also a useful tool for exploring the meta data stored
along with your image files. The program supports a wide variety of
meta data standards, including EXIF, CIFF, Olympus, JFIF and
Photoshop. EXIF data will be of particular interest to digital camera
users - it is the format used by most digital cameras to store camera
settings along with an image.

The tool also has basic support for some movie formats - AVI and
QuickTime/JPEG, as recorded by some older digital cameras. The tool
can play back, as well as extract video, audio and stills from these

AtomicParsley is a lightweight command line program for reading,
parsing and setting metadata into MPEG-4 files supporting these styles
of metadata:
iTunes-style metadata into .mp4, .m4a, .m4p, .m4v, .m4b files
3gp-style assets (3GPP TS 26.444 version 6.4.0 Release 6 specification
conforming) in 3GPP, 3GPP2, MobileMP4 & derivatives
ISO copyright notices at movie & track level for MPEG-4 & derivative files
uuid private user extension text & file embedding for MPEG-4 & derivative file

TEMPEST is an official acronym for "Telecommunications Electronics
Material Protected From Emanating Spurious Transmissions" and includes
technical security countermeasures; standards, and instrumentation,
which prevent (or minimize) the exploitation of security
vulnerabilities by technical means. TEMPEST is nothing more then a
fancy name for protecting against technical surveillance or
eavesdropping of UNMODIFIED equipment (the unmodified part is

Video eavesdropping demo at CeBIT 2006
ACK Tunneling Trojans
Zfone™ is a new secure VoIP phone software product which lets you make
encrypted phone calls over the Internet. :

OpenID is a privecy risk
Keys Can be Copied From Afar, Jacobs School Computer Scientists Show
San Diego computer scientists have built a software program that can
perform key duplication without having the key. Instead, the computer
scientists only need a photograph of the key!

How to use your PC and Webcam as a motion-detecting and recording
security camera

MadMACs: MAC Address Spoofing And Host Name Randomizing App For Windows

Serious Issue, Block  UpnP and “windows time”,time synchronization for windows.

Surf Jack – HTTPS will not save you

reDuh - TCP Redirection over HTTP
reDuh is actually a tool that can be used to create a TCP circuit
through validly formed HTTP requests. Essentially this means that if
we can upload a JSP/PHP/ASP page on a server, we can connect to hosts
behind that server trivially.


In 1992 as a quick hack, I happened to demonstrate that you can send
TCP packets with bad checksums (subtract 1), which provides a
near-invisible "covert channel" that penetrates everywhere with very
low probability of detection or interception.  This channel is still
wide open, and a far better channel than stego-over-VoIP for the same
target devices.

Why Skype is evil


( Timestomp and Slacker is a poor POC from anti-forensic prospective)

Basic Windows Anti-forensics:

What is Social Engineering ?
Basically, social engineering is the art and science of getting people
to comply to your wishes. It is not a way of mind control, it will not
allow you to get people to perform tasks wildly outside of their
normal behaviour and it is far from foolproof.

Open Source Intelligence - OSINT

Maltego is an open source intelligence and forensics application. It
will offer you timous mining and gathering of information as well as
the representation of this information in a easy to understand format.

There are even tools like Fake Voice
Fake Voice allows you to change your voice. You can be anyone you want
to be, including a male, female, an old or young person. You can also
add real-time effects to your voice for concealing or having fun with
your voice.

EFF Launches Surveillance Self-Defense site :
Mar 2009

The Electronic Frontier Foundation (EFF) has created this Surveillance
Self-Defense site to educate the American public about the law and
technology of government surveillance in the United States, providing
the information and tools necessary to evaluate the threat of
surveillance and take appropriate steps to defend against it.

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists