├── .gitgnore ├── LICENSE ├── README.md └── WAFS.ps1 /.gitgnore: -------------------------------------------------------------------------------- 1 | logs_anti.txt 2 | logs_all.txt 3 | logs_yools.txt 4 | logs_disable.txt 5 | logs_clean.txt -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | MIT License 2 | 3 | Copyright (c) 2023 MikeHorn-git 4 | 5 | Permission is hereby granted, free of charge, to any person obtaining a copy 6 | of this software and associated documentation files (the "Software"), to deal 7 | in the Software without restriction, including without limitation the rights 8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell 9 | copies of the Software, and to permit persons to whom the Software is 10 | furnished to do so, subject to the following conditions: 11 | 12 | The above copyright notice and this permission notice shall be included in all 13 | copies or substantial portions of the Software. 14 | 15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 21 | SOFTWARE. 22 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Windows Anti-Forensics Script 2 | 3 | ![BlackWindows](https://github.com/MikeHorn-git/WAFS/assets/123373126/1667f6e9-273a-4f02-b242-d95659ed76e0) 4 | 5 | # ⚠️ Warning 6 | Backup your data and your registry before. 7 | 8 | # Description 9 | Windows Anti-Forensics Script (WAFS) aim to make forensics investigations on a Windows OS more difficult. WAFS allow you to clean/disable certain files, services, registry keys. And WAFS provide some anti-forensics tools to improve countering forensics analysis. 10 | 11 | # Installation 12 | ```bash 13 | Invoke-WebRequest https://raw.githubusercontent.com/MikeHorn-git/WAFS/main/WAFS.ps1 -Outfile WAFS.ps1 14 | #Run Powershell with administrator privilege 15 | .\WAFS.ps1 16 | ``` 17 | 18 | # Usage 19 | ```bash 20 | ██╗ ██╗ █████╗ ███████╗███████╗ 21 | ██║ ██║██╔══██╗██╔════╝██╔════╝ 22 | ██║ █╗ ██║███████║█████╗ ███████╗ 23 | ██║███╗██║██╔══██║██╔══╝ ╚════██║ 24 | ╚███╔███╔╝██║ ██║██║ ███████║ 25 | ╚══╝╚══╝ ╚═╝ ╚═╝╚═╝ ╚══════╝ 26 | 27 | Windows Anti-Forensics Script 28 | 29 | Syntax: wafs.ps1 -[all|anti|tools] 30 | options: 31 | -all Install both features. 32 | -anti Disable and clear certains windows features and parameters for anti-forensics. 33 | -tools Install anti-forensics tools. 34 | -disable Only disable windows features without cleaning 35 | -clean Only clean 36 | 37 | ``` 38 | 39 | # Features 40 | * Clean 41 | * Chrome cache - history - session restore 42 | * DNS cache 43 | * Edge cache - history 44 | * Firefox cache - history 45 | * Internet Explorer cache - history - session restore 46 | * Last-Visited MRU 47 | * OpenSave MRU 48 | * Plug and Play logs 49 | * PowerShell history 50 | * Prefetch 51 | * Recent items 52 | * RecycleBin 53 | * Run command history 54 | * Shadow copies 55 | * Shellbags 56 | * Simcache 57 | * System Resource Usage Monitor 58 | * Tempory files 59 | * Thumbcache 60 | * USB history 61 | * User Assist 62 | * VPN cache 63 | * Windows Timeline 64 | 65 | * Disable 66 | * Keylogger 67 | * NTFS Last Acces Time 68 | * Prefetch 69 | * Shadow Copies 70 | * Shellbags 71 | * User Assist 72 | * UsnJrnl 73 | * Windows Event Logs 74 | * Windows Timeline 75 | 76 | * Remove 77 | * Cortana 78 | 79 | # Tools 80 | * [Bleachbit](https://www.bleachbit.org/) 81 | * [BusKill](https://github.com/BusKill/buskill-app) 82 | * [ClamAV](https://www.clamav.net/) 83 | * [Delete-self-poc](https://github.com/LloydLabs/delete-self-poc) 84 | * [ExivPilot](https://www.colorpilot.com/) 85 | * [KeePassXC](https://keepassxc.org/) 86 | * [SDelete](https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete) 87 | * [TimeStomper](https://github.com/slyd0g/TimeStomper) 88 | * [USBSentinel](https://github.com/thereisnotime/xxUSBSentinel/) 89 | * [VeraCrypt](https://www.veracrypt.fr/en/Home.html) 90 | 91 | # Credits 92 | * [Awesome anti-forensic](https://github.com/shadawck/awesome-anti-forensic) 93 | * [Background](https://wallpapercave.com/wp/wp3438728.jpg) 94 | * [Sans Forensics](https://www.sans.org/posters/windows-forensic-analysis/) 95 | -------------------------------------------------------------------------------- /WAFS.ps1: -------------------------------------------------------------------------------- 1 | #Requires -RunAsAdministrator 2 | 3 | ################################################################################# 4 | #MIT License # 5 | # # 6 | #Copyright (c) 2023-2024 MikeHorn-git # 7 | # # 8 | #Permission is hereby granted, free of charge, to any person obtaining a copy # 9 | #of this software and associated documentation files (the "Software"), to deal # 10 | #in the Software without restriction, including without limitation the rights # 11 | #to use, copy, modify, merge, publish, distribute, sublicense, and/or sell # 12 | #copies of the Software, and to permit persons to whom the Software is # 13 | #furnished to do so, subject to the following conditions: # 14 | # # 15 | #The above copyright notice and this permission notice shall be included in all # 16 | #copies or substantial portions of the Software. # 17 | # # 18 | #THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR # 19 | #IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, # 20 | #FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE # 21 | #AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER # 22 | #LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, # 23 | #OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE # 24 | #SOFTWARE. # 25 | ################################################################################# 26 | 27 | <# 28 | .SYNOPSIS 29 | Windows Anti-Forensics Script (WAFS) hardened your Windows OS against forensics analysis. 30 | 31 | .DESCRIPTION 32 | Windows Anti-Forensics Script (WAFS) aim to make forensics investigations on a Windows OS more difficult. 33 | WAFS allow you to clean/disable certain files, services, registry keys. 34 | And WAFS provide some anti-forensics tools to improve countering forensics analysis. 35 | 36 | To execute this script: 37 | 1) Open PowerShell window as administrator 38 | 2) Execute the script by running ".\WAFS.ps1" 39 | 40 | .PARAMETER all 41 | Install both features: tools and perform anti-forensics actions including disabling certain windows features and clearing 42 | certain data. This includes the cleaning of various file and registry data. 43 | 44 | .PARAMETER anti 45 | Perform anti-forensics actions without requiring tools installation. This includes disabling certain windows features and 46 | clearing various forensics-related data, such as browser caches, event logs, and session histories. 47 | 48 | .PARAMETER tools 49 | Install anti-forensics tools. This downloads various tools that can be used to enhance anti-forensics activities. 50 | No other actions are performed with this option. 51 | 52 | .PARAMETER clean 53 | Perform only the cleaning actions. This will clean up various files, caches, and registry entries that may be used in 54 | forensic investigations but will not disable any Windows features or services. 55 | 56 | .PARAMETER disable 57 | Only disable certain Windows features without performing any cleaning actions. This includes disabling services like 58 | EventLog, Prefetch, and Shadow Copies, as well as disabling keylogging and other Windows telemetry features. 59 | 60 | .EXAMPLE 61 | .\WAFS.ps1 -anti 62 | 63 | Description 64 | --------------------------------------- 65 | Disable and clear certains windows features and parameters for anti-forensics. 66 | 67 | .LINK 68 | https://github.com/MikeHorn-git/WAFS 69 | #> 70 | 71 | [CmdletBinding()] 72 | param ( 73 | [switch]$all, 74 | [switch]$anti, 75 | [switch]$tools, 76 | [switch]$clean, 77 | [switch]$disable 78 | ) 79 | 80 | function Invoke-AntiForensics { 81 | Write-Output '[+] Anti-Forensics Script' 82 | 83 | # Cleaning 84 | $PathsToRemove = @{ 85 | 'ChromeCache' = "$Home\AppData\Local\Google\Chrome\User Data\Default\Cache" 86 | 'ChromeHistory' = "$Home\AppData\Local\Google\Chrome\User Data\Default\History" 87 | 'ChromeSessionRestore' = "$Home\AppData\Local\Google\Chrome\User Data\Default" 88 | 'EdgeCache' = "$Home\AppData\Local\Packages\microsoft.microsoftedge_*\AC\MicrosoftEdge\Cache" 89 | 'IEHistory' = 'HKCU:\Software\Microsoft\Internet Explorer\TypedURLs' 90 | 'IEWebCache' = "$Home\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat" 91 | 'FirefoxCache' = "$Home\AppData\Local\Mozilla\Firefox\Profiles\*.default\Cache" 92 | 'FirefoxHistory' = "$Home\AppData\Roaming\Mozilla\Firefox\Profiles\*.default\places.sqlite" 93 | 'FirefoxSessionRestore' = "$Home\AppData\Roaming\Mozilla\Firefox\Profiles\*.default\sessionstore.js" 94 | 'IECache' = "$Home\AppData\Local\Microsoft\Windows\INetCache\IE" 95 | 'IECacheStorage' = "$Home\AppData\Local\Microsoft\Internet Explorer\CacheStorage" 96 | 'IESessionRestore' = "$Home\AppData\Local\Microsoft\Internet Explorer\Recovery" 97 | 'LastVisitedMRU' = 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU' 98 | 'OpenSaveMRU' = 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU' 99 | 'PlugAndPlayLogs' = "C:\Windows\INF\setupapi.dev*" 100 | 'Prefetch' = "C:\Windows\Prefetch" 101 | 'RecentItems' = "$HOME\AppData\Roaming\Microsoft\Windows\Recent" 102 | 'RecentDocs' = 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs' 103 | 'RunMRU' = 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' 104 | 'ShadowCopies' = 'HKLM:\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToBackup' 105 | 'ShellBags' = 'HKCU:\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell' 106 | 'ShellNoRoam' = 'HKCU:\Software\Classes\Local Settings\Software\Microsoft\Windows\ShellNoRoam' 107 | 'ShellWow6432' = 'HKCU:\Software\Classes\Wow6432Node\Local Settings\Software\Microsoft\Windows\Shell\' 108 | 'Simcache' = 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache\' 109 | 'SRUDB' = "C:\Windows\System32\sru\SRUDB.dat" 110 | 'TempFiles' = "C:\Windows\temp\*" 111 | 'Thumbcache' = "$Home\AppData\Local\Microsoft\Windows\Explorer\thumbcache*.db\" 112 | 'USBHistory' = 'HKLM:\SYSTEM\CurrentControlSet\Enum\USBSTOR' 113 | 'USBEnum' = 'HKLM:\SYSTEM\CurrentControlSet\Enum\USB' 114 | 'UserAssist' = 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\' 115 | 'VPNCache' = 'HKLM:\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache' 116 | 'TimelineDB' = "$Home\AppData\Local\ConnectedDevicesPlatform\*\ActivitiesCache.db" 117 | 'PowerShellHistory' = "$HOME\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt" 118 | } 119 | 120 | foreach ($pathKey in $PathsToRemove.Keys) { 121 | $path = $PathsToRemove[$pathKey] 122 | if ($null -ne $path) { 123 | try { 124 | Remove-Item -Path $path -Recurse -Force -ErrorAction Stop 125 | Write-Output "Removed: $path" 126 | } 127 | catch { 128 | Write-Error "Failed to remove: $path. Error: $_" 129 | } 130 | } 131 | } 132 | 133 | # Disable 134 | try { 135 | # Disable Audit Success logs 136 | auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:enable 2>$null 137 | 138 | # Remove Cortana 139 | Get-AppxPackage -AllUsers Microsoft.549981C3F5F10 | Remove-AppPackage 2>$null 140 | 141 | # Clean DNS cache 142 | ipconfig /flushdns >$null 143 | 144 | # Disable Keylogger 145 | Stop-Service -Name DiagTrack -Force 2>$null 146 | Set-Service -Name DiagTrack -StartupType Disabled 2>$null 147 | Stop-Service -Name dmwappushservice -Force 2>$null 148 | Set-Service -Name dmwappushservice -StartupType Disabled 2>$null 149 | Write-Output "" > C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl 2>$null 150 | 151 | # Disable NTFS Last Access Time 152 | Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem' -Name 'NtfsDisableLastAccessUpdate' -Value 1 -Force 153 | fsutil behavior set disablelastaccess 3 >$null 154 | 155 | # Disable Prefetch 156 | Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\' -Name 'EnablePrefetcher' -Value 0 -Force 157 | Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\' -Name 'EnableSuperfetch' -Value 0 -Force 158 | 159 | # Clean RecycleBin 160 | Clear-RecycleBin -Force 2>$null 161 | 162 | # Disable previous Shadow Copies 163 | Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\' -Name 'DisableLocalPage' -Value 1 -Force 164 | 165 | # Clean Shadow Copies 166 | vssadmin delete shadows /All >$null 167 | 168 | # Disable ShellBags 169 | Set-ItemProperty -Path 'HKCU:\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell' -Name 'BagMRU Size' -Value 1 -Force 170 | 171 | # Disable UserAssist 172 | Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\' -Name 'Start_TrackProgs' -Value 0 -Force 173 | Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\' -Name 'Start_TrackEnabled' -Value 0 -Force 174 | 175 | # Disable Windows Event logs 176 | Stop-Service -Name EventLog -Force 2>$null 177 | Set-Service EventLog -StartupType Disabled 178 | 179 | # Clean Windows Event logs 180 | wevtutil el | ForEach-Object { wevtutil cl "$_" } 2>$null 181 | 182 | # Clean Windows logs 183 | Get-EventLog -LogName * | ForEach-Object { Clear-EventLog $_.Log } 2>$null 184 | 185 | # Disable Windows Timeline DB 186 | Stop-Service -Name CDPUserSvc* -Force 2>$null 187 | 188 | # Disable $UsnJrnl 189 | fsutil usn deletejournal /d c: 2>$null 190 | 191 | # Clean Powershell history 192 | Clear-History 2>$null 193 | } 194 | catch { 195 | Write-Error "An error occurred: $_" 196 | } 197 | 198 | Write-Output '[+] Done, reboot your system' 199 | Exit 0 200 | } 201 | 202 | function Invoke-Cleaning { 203 | 204 | Write-Output '[+] Anti-Forensics Script - Cleaning' 205 | 206 | $PathsToRemove = @{ 207 | 'ChromeCache' = "$Home\AppData\Local\Google\Chrome\User Data\Default\Cache" 208 | 'ChromeHistory' = "$Home\AppData\Local\Google\Chrome\User Data\Default\History" 209 | 'ChromeSessionRestore' = "$Home\AppData\Local\Google\Chrome\User Data\Default" 210 | 'EdgeCache' = "$Home\AppData\Local\Packages\microsoft.microsoftedge_*\AC\MicrosoftEdge\Cache" 211 | 'IEHistory' = 'HKCU:\Software\Microsoft\Internet Explorer\TypedURLs' 212 | 'IEWebCache' = "$Home\AppData\Local\Microsoft\Windows\WebCache\WebCacheV*.dat" 213 | 'FirefoxCache' = "$Home\AppData\Local\Mozilla\Firefox\Profiles\*.default\Cache" 214 | 'FirefoxHistory' = "$Home\AppData\Roaming\Mozilla\Firefox\Profiles\*.default*\places.sqlite" 215 | 'FirefoxHistoryBackup' = "$Home\AppData\Roaming\Mozilla\Firefox\Profiles\*.default*\places.sqlite-*" 216 | 'FirefoxBookmarks' = "$Home\AppData\Roaming\Mozilla\Firefox\Profiles\*.default*\bookmarkbackups\*" 217 | 'FirefoxSessionRestore' = "$Home\AppData\Roaming\Mozilla\Firefox\Profiles\*.default*\sessionstore.js" 218 | 'FirefoxSessionRestoreBackup' = "$Home\AppData\Roaming\Mozilla\Firefox\Profiles\*.default*\sessionstore-backups\*" 219 | 'FirefoxCookies' = "$Home\AppData\Roaming\Mozilla\Firefox\Profiles\*.default*\cookies.sqlite*" 220 | 'IECache' = "$Home\AppData\Local\Microsoft\Windows\INetCache\IE" 221 | 'IECacheStorage' = "$Home\AppData\Local\Microsoft\Internet Explorer\CacheStorage" 222 | 'IESessionRestore' = "$Home\AppData\Local\Microsoft\Internet Explorer\Recovery" 223 | 'LastVisitedMRU' = 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedPidlMRU' 224 | 'OpenSaveMRU' = 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU' 225 | 'PlugAndPlayLogs' = "C:\Windows\INF\setupapi.dev*" 226 | 'Prefetch' = "C:\Windows\Prefetch" 227 | 'RecentItems' = "$HOME\AppData\Roaming\Microsoft\Windows\Recent" 228 | 'RecentDocs' = 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs' 229 | 'RunMRU' = 'HKCU:\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU' 230 | 'ShadowCopies' = 'HKLM:\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToBackup' 231 | 'ShellBags' = 'HKCU:\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell' 232 | 'ShellNoRoam' = 'HKCU:\Software\Classes\Local Settings\Software\Microsoft\Windows\ShellNoRoam' 233 | 'ShellWow6432' = 'HKCU:\Software\Classes\Wow6432Node\Local Settings\Software\Microsoft\Windows\Shell\' 234 | 'Simcache' = 'HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache\' 235 | 'SRUDB' = "C:\Windows\System32\sru\SRUDB.dat" 236 | 'TempFiles' = "C:\Windows\temp\*" 237 | 'Thumbcache' = "$Home\AppData\Local\Microsoft\Windows\Explorer\thumbcache*.db\" 238 | 'USBHistory' = 'HKLM:\SYSTEM\CurrentControlSet\Enum\USBSTOR' 239 | 'USBEnum' = 'HKLM:\SYSTEM\CurrentControlSet\Enum\USB' 240 | 'UserAssist' = 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserAssist\' 241 | 'VPNCache' = 'HKLM:\Microsoft\Windows NT\CurrentVersion\NetworkList\Nla\Cache' 242 | 'TimelineDB' = "$Home\AppData\Local\ConnectedDevicesPlatform\*\ActivitiesCache.db" 243 | 'PowerShellHistory' = "$HOME\AppData\Roaming\Microsoft\Windows\PowerShell\PSReadLine\ConsoleHost_history.txt" 244 | } 245 | 246 | foreach ($pathKey in $PathsToRemove.Keys) { 247 | $path = $PathsToRemove[$pathKey] 248 | if ($null -ne $path) { 249 | try { 250 | Remove-Item -Path $path -Recurse -Force -ErrorAction Stop 251 | Write-Output "Removed: $path" 252 | } 253 | catch { 254 | Write-Error "Failed to remove: $path. Error: $_" 255 | } 256 | } 257 | } 258 | } 259 | 260 | function Invoke-Disable { 261 | Write-Output '[+] Anti-Forensics Script - Disable' 262 | try { 263 | # Disable Audit Success logs 264 | auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:enable 2>$null 265 | 266 | # Remove Cortana 267 | Get-AppxPackage -AllUsers Microsoft.549981C3F5F10 | Remove-AppPackage 2>$null 268 | 269 | # Clean DNS cache 270 | ipconfig /flushdns >$null 271 | 272 | # Disable Keylogger 273 | Stop-Service -Name DiagTrack -Force 2>$null 274 | Set-Service -Name DiagTrack -StartupType Disabled 2>$null 275 | Stop-Service -Name dmwappushservice -Force 2>$null 276 | Set-Service -Name dmwappushservice -StartupType Disabled 2>$null 277 | Write-Output "" > C:\ProgramData\Microsoft\Diagnosis\ETLLogs\AutoLogger\AutoLogger-Diagtrack-Listener.etl 2>$null 278 | 279 | # Disable NTFS Last Access Time 280 | Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\FileSystem' -Name 'NtfsDisableLastAccessUpdate' -Value 1 -Force 281 | fsutil behavior set disablelastaccess 3 >$null 282 | 283 | # Disable Prefetch 284 | Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\' -Name 'EnablePrefetcher' -Value 0 -Force 285 | Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\' -Name 'EnableSuperfetch' -Value 0 -Force 286 | 287 | # Clean RecycleBin 288 | Clear-RecycleBin -Force 2>$null 289 | 290 | # Disable previous Shadow Copies 291 | Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\' -Name 'DisableLocalPage' -Value 1 -Force 292 | 293 | # Clean Shadow Copies 294 | vssadmin delete shadows /All >$null 295 | 296 | # Disable ShellBags 297 | Set-ItemProperty -Path 'HKCU:\Software\Classes\Local Settings\Software\Microsoft\Windows\Shell' -Name 'BagMRU Size' -Value 1 -Force 298 | 299 | # Disable UserAssist 300 | Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\' -Name 'Start_TrackProgs' -Value 0 -Force 301 | Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\' -Name 'Start_TrackEnabled' -Value 0 -Force 302 | 303 | # Disable Windows Event logs 304 | Stop-Service -Name EventLog -Force 2>$null 305 | Set-Service EventLog -StartupType Disabled 306 | 307 | # Clean Windows Event logs 308 | wevtutil el | ForEach-Object { wevtutil cl "$_" } 2>$null 309 | 310 | # Clean Windows logs 311 | Get-EventLog -LogName * | ForEach-Object { Clear-EventLog $_.Log } 2>$null 312 | 313 | # Disable Windows Timeline DB 314 | Stop-Service -Name CDPUserSvc* -Force 2>$null 315 | 316 | # Disable $UsnJrnl 317 | fsutil usn deletejournal /d c: 2>$null 318 | 319 | # Clean Powershell history 320 | Clear-History 2>$null 321 | } 322 | catch { 323 | Write-Error "An error occurred: $_" 324 | } 325 | 326 | Write-Output '[+] Done, reboot your system' 327 | Exit 0 328 | 329 | } 330 | 331 | function Install-Tools { 332 | Write-Output '[+] Tools Script' 333 | $toolsDirectory = "$HOME\Tools" 334 | New-Item -Path $toolsDirectory -ItemType Directory -Force >$null 335 | 336 | # URLs of tools to download 337 | $FastURL = [ordered]@{ 338 | DSP = "https://github.com/LloydLabs/delete-self-poc/releases/download/v1.1/ds_x64.exe" 339 | Exif = "https://www.two-pilots.com/colorpilot.com/load/exif_64.exe" 340 | Timestomper = "https://github.com/slyd0g/TimeStomper/blob/master/Release/TimeStomper.exe" 341 | USBSentinel = "https://github.com/thereisnotime/xxUSBSentinel/releases/download/v1/xxUSBSentinel.exe" 342 | Veracrypt = "https://launchpad.net/veracrypt/trunk/1.26.15/+download/VeraCrypt%20Setup%201.26.15.exe" 343 | } 344 | 345 | foreach ($key in $FastURL.Keys) { 346 | $url = $FastURL[$key] 347 | $outputPath = "$toolsDirectory\$key.exe" 348 | 349 | try { 350 | Invoke-WebRequest -Uri $url -OutFile $outputPath -ErrorAction Stop 351 | Write-Output "Downloaded $key from $url to $outputPath" 352 | } 353 | catch { 354 | Write-Error "Failed to download $key from $url. $_" 355 | } 356 | } 357 | 358 | $LongURL = [ordered]@{ 359 | Bleachbit = "https://download.bleachbit.org/BleachBit-4.6.2-portable.zip" 360 | Buskill = "https://github.com/BusKill/buskill-app/releases/download/v0.7.0/buskill-win-v0.7.0-x86_64.zip" 361 | Clamav = "https://www.clamav.net/downloads/production/clamav-1.4.1.win.x64.zip" 362 | Sdelete = "https://download.sysinternals.com/files/SDelete.zip" 363 | } 364 | 365 | foreach ($key in $LongURL.Keys) { 366 | $url = $LongURL[$key] 367 | $downloadPath = "$Home\Downloads\$key.zip" 368 | $extractPath = "$toolsDirectory\$key" 369 | 370 | try { 371 | Invoke-WebRequest -Uri $url -OutFile $downloadPath -ErrorAction Stop 372 | Write-Output "Downloaded $key from $url to $downloadPath" 373 | Expand-Archive -Path $downloadPath -DestinationPath $extractPath -Force 374 | Write-Output "Extracted $key to $extractPath" 375 | } 376 | catch { 377 | Write-Error "Failed to download or extract $key from $url. $_" 378 | } 379 | } 380 | } 381 | 382 | function Show-Usage { 383 | Write-Host @" 384 | ██╗ ██╗ █████╗ ███████╗███████╗ 385 | ██║ ██║██╔══██╗██╔════╝██╔════╝ 386 | ██║ █╗ ██║███████║█████╗ ███████╗ 387 | ██║███╗██║██╔══██║██╔══╝ ╚════██║ 388 | ╚███╔███╔╝██║ ██║██║ ███████║ 389 | ╚══╝╚══╝ ╚═╝ ╚═╝╚═╝ ╚══════╝ 390 | 391 | 392 | Windows Anti-Forensics Script 393 | 394 | Syntax: wafs.ps1 -[all|anti|tools] 395 | options: 396 | -all Install both features. 397 | -anti Disable and clear certain windows features and parameters for anti-forensics. 398 | -tools Install anti-forensics tools. 399 | -disable Only disable windows features without cleaning 400 | -clean Only clean 401 | "@ 402 | } 403 | 404 | function Main { 405 | if ($all) { 406 | Start-Transcript -Path ".\logs_all.txt" 407 | Install-Tools 408 | Invoke-AntiForensics 409 | Stop-Transcript 410 | } 411 | elseif ($anti) { 412 | Start-Transcript -Path ".\logs_anti.txt" 413 | Invoke-AntiForensics 414 | Stop-Transcript 415 | } 416 | elseif ($tools) { 417 | Start-Transcript -Path ".\logs_tools.txt" 418 | Install-Tools 419 | Write-Output '[+] Done, reboot your system' 420 | Exit 0 421 | Stop-Transcript 422 | } 423 | elseif ($clean) { 424 | Start-Transcript -Path ".\logs_clean.txt" 425 | Invoke-Cleaning 426 | Stop-Transcript 427 | } 428 | elseif ($disable) { 429 | Start-Transcript -Path ".\logs_disable.txt" 430 | Invoke-Disable 431 | Stop-Transcript 432 | } 433 | else { 434 | Show-Usage 435 | } 436 | } 437 | 438 | Main 439 | --------------------------------------------------------------------------------