BEGIN:VCALENDAR VERSION:2.0 PRODID:-//pretalx//pretalx.com//hack-lu-2025//talk//WHX9KY BEGIN:VTIMEZONE TZID:CET BEGIN:STANDARD DTSTART:20001029T040000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=10 TZNAME:CET TZOFFSETFROM:+0200 TZOFFSETTO:+0100 END:STANDARD BEGIN:DAYLIGHT DTSTART:20000326T030000 RRULE:FREQ=YEARLY;BYDAY=-1SU;BYMONTH=3 TZNAME:CEST TZOFFSETFROM:+0100 TZOFFSETTO:+0200 END:DAYLIGHT END:VTIMEZONE BEGIN:VEVENT UID:pretalx-hack-lu-2025-WHX9KY@pretalx.com DTSTART;TZID=CET:20251021T101500 DTEND;TZID=CET:20251021T104500 DESCRIPTION:In this talk\, we’ll dissect common anti-forensics strategies —like USN Journal deletion\, shellbag clearing\, timestamp manipulation\ , and disabling access time updates—and reveal how they are often execut ed ineffectively or misunderstood.\n\nWe’ll explore practical examples\, such as:\n\n- Deleting the USN Journal (fsutil usn deletejournal /d C:) a nd why it’s rarely a perfect solution.\n- Clearing shellbags to wipe fil e explorer history but failing to account for deeper registry artifacts.\n - Time stomping (Get-Item "C:\\path\\to\\file.txt").CreationTime = "2022-0 1-01 00:00:00) and how forensic tools detect inconsistencies.\n- Disabling last access time updates (fsutil behavior set disablelastaccess 1) and it s limited effectiveness against comprehensive timeline analysis.\n- Wiping MFT free space (sdelete -z C:) while ignoring the traces left behind in u nstructured data.\n\nFrom registry edits like masking user account activit y to configuring Windows EFS\, we’ll examine why these techniques often fail against modern investigative workflows and how defenders use these “footprints of erasure” to uncover malicious intent.\n\nAttendees will gain a comprehensive understanding of what works and what doesn’t and h ow to identify these techniques during incident response. Whether you’re an IR consultant\, security analyst\, or blue teamer\, this talk offers a ctionable knowledge to outsmart adversarial anti-forensics tactics.\n\nWe use Python code to show how ‘clean’ evidence cleaning can be done\, e. g.\, if only individual MFT entries are deleted or even if entries in the SRUM database are deleted or manipulated. This means it is not immediately obvious that the data has been manipulated\, unlike when everything is de leted. DTSTAMP:20260420T000133Z LOCATION:Europe SUMMARY:Anti-Forensics - You are doing it wrong (Believe me\, I'm an IR con sultant) - Stephan Berger URL:https://pretalx.com/hack-lu-2025/talk/WHX9KY/ END:VEVENT END:VCALENDAR