Windows Anti-Forensics Script

⚠️ Warning

Backup your data and your registry before.

Description

Windows Anti-Forensics Script (WAFS) aim to make forensics investigations on a Windows OS more difficult. WAFS allow you to clean/disable certain files, services, registry keys. And WAFS provide some anti-forensics tools to improve countering forensics analysis.

Installation

Invoke-WebRequest https://raw.githubusercontent.com/MikeHorn-git/WAFS/main/WAFS.ps1 -Outfile WAFS.ps1
#Run Powershell with administrator privilege
.\WAFS.ps1

Usage

██╗    ██╗ █████╗ ███████╗███████╗
██║    ██║██╔══██╗██╔════╝██╔════╝
██║ █╗ ██║███████║█████╗  ███████╗
██║███╗██║██╔══██║██╔══╝  ╚════██║
╚███╔███╔╝██║  ██║██║     ███████║
 ╚══╝╚══╝ ╚═╝  ╚═╝╚═╝     ╚══════╝
                                  
Windows Anti-Forensics Script

Syntax: wafs.ps1 -[all|anti|tools]
options:
-all                Install both features.
-anti               Disable and clear certains windows features and parameters for anti-forensics.
-tools              Install anti-forensics tools.

Features

• Clean

  • Chrome cache - history - session restore
  • DNS cache
  • Edge cache - history
  • Firefox cache - history
  • Internet Explorer cache - history - session restore
  • Last-Visited MRU
  • OpenSave MRU
  • Plug and Play logs
  • PowerShell history
  • Prefetch
  • Recent items
  • RecycleBin
  • Run command history
  • Shadow copies
  • Shellbags
  • Simcache
  • System Resource Usage Monitor
  • Tempory files
  • Thumbcache
  • USB history
  • User Assist
  • VPN cache
  • Windows Timeline

• Disable

  • Keylogger
  • NTFS Last Acces Time
  • Prefetch
  • Shadow Copies
  • Shellbags
  • User Assist
  • UsnJrnl
  • Windows Event Logs
  • Windows Timeline

• Remove

  • Cortana

Tools

• Bleachbit
• BusKill
• ClamAV
• Delete-self-poc
• ExivPilot
• KeePassXC
• SDelete
• TimeStomper
• USBSentinel
• VeraCrypt

Credits

• Awesome anti-forensic
• Background
• Sans Forensics