One of the interesting Anti-Forensic technique where the user can simply delete the files original locations by just pressing “Delete” key and are not sent to the Recycle Bin at all.
The following information can be hidden from forensic examiner:
- User Name who deleted the files
- Deletion time (not for all cases)
- Recovery becomes more complex and conditional
How to Do it
We can enable this setting for the entire system hard drive or for a particular partition as well
By using GUI based setting
Right click on recycle bin go to properties, here we can see all partitions as shown in below figure.
As shown in the above figure drive letter D: is selected for which I have a select highlighted option. Now click apply and then OK.
- From start menu click run and type regedit
- This will open registry editor now navigate to the following path: KEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\
- This show GUID of all partition . to find your desired partition open command prompt and type “mountvol”. This command list all partition along with their GUID:
- Now as shown in above figure highlighted area is GUID of drive letter D:Now we can map the GUID along with drive letter.
- Go to registry again in the same location and select the same GUID
- Select registry entry NukeOnDelete and set it to “1” or if have already made changes by GUI you can see that NukeOnDelete is already set to 1.