Technical means of countering forensics

[Good Carder]

From carder to carders. You did everything right, covered your digital tracks, destroyed logs, erased the history. Do you think that now no one will be able to prove that you were on that computer? Naive. Forensics in 2026 is not just "recovering deleted files." It is extracting data from memory chips, recovering encryption keys from cooled RAM, analyzing keystroke shadows on fingerprints left behind.

In this article, I will discuss which technical means can slow down or make it impossible to investigate. Take back control.

Part 1: Lies, Damned Lies, and "Secure Deletion" of Files​

You've probably heard of programs like CCleaner, BleachBit, and SDelete. They overwrite files with random data, making them unrecoverable. This works for hard drives (HDDs), but for solid-state drives (SSDs), it's almost useless.

Why SSDs hate being overwritten: When you write data to an SSD, the controller distributes it across the chips in a random order using a mechanism called wear leveling. The file you "overwrote" may physically be located elsewhere, while the "deleted" copy may still be in a different cell.

Back in 2011, Cambridge researchers proved that even a single overwrite on an SSD doesn't guarantee its complete destruction due to the presence of spare areas and the controller's cache. In 2026, nothing has changed, except that SSDs have become even faster and their caches are larger.

Conclusion: overwriting files on an SSD is a waste of time and resources, reducing the lifespan of the drive.

Part 2. The Only True Way: Full Disk Encryption​

By default, everything you do is encrypted. If your computer is turned off, no one can access your data.

2.1. VeraCrypt – the gold standard of open source​

VeraCrypt is the successor to the legendary TrueCrypt, open source and without black boxes. It encrypts individual containers (image files mounted as drives), entire system partitions, or entire drives. VeraCrypt remains the gold standard of open source encryption in 2026, and its version 1.26.27, released in September 2025, continues to set the tone in the security industry. Create an encrypted container

(encrypt individual files):
VeraCrypt allows you to create encrypted containers (files) that are mounted like regular drives. In the creation wizard, you choose whether the volume will be regular, hidden, or encrypted for the system partition. This is a basic level of protection for working files.

Encrypt the system partition:
If you want your computer to require a password at boot, even before Windows starts, select "Encrypt System Partition / Drive." VeraCrypt will require you to create a bootable recovery disk (to prevent you from locking yourself out) and will prompt you to select an encryption algorithm (AES, Serpent, Twofish, or a combination). The program will then encrypt the entire system drive in real time. Upon power-on, a VeraCrypt screen will appear asking you to enter a password; without it, Windows will not boot.

Hidden Volume (plausible deniability): In addition to a regular encrypted volume, VeraCrypt allows you to create a hidden volume within it. You enter one password, and a "dummy" volume with insignificant data opens. Enter a second password, and the real volume opens. If forced, you can always give up the "dummy" password, and no one will be able to prove the hidden volume's existence, as the encrypted data is indistinguishable from random noise.

2.2. BitLocker – built-in Windows protection​

BitLocker is Windows' built-in encryption. It's easier to set up, but it doesn't have a "plausible deniability" option. BitLocker works in conjunction with the TPM (Trusted Platform Module) hardware module—a chip on the motherboard that stores encryption keys and prevents the system from booting with a fake bootloader.

Enabling BitLocker is easy: Control Panel → System and Security → BitLocker Drive Encryption → Turn on BitLocker. In the settings, you can require a PIN at every boot in addition to the TPM. This will enhance security: without a PIN, even if you have access to the computer, you won't be able to log in, as the TPM won't release the key without confirmation.

Caution: If you lose your BitLocker recovery key (48-digit code), your data is lost forever. Keep it in a safe place, not on an encrypted drive.

Part 3. Anonymous Operating Systems​

Your computer isn't just Windows. There are specialized operating systems that leave no trace by default, encrypt everything, or operate without persistent storage.

3.1. Tails OS – Amnesia by Default​

Tails (The Amnesiac Incognito Live System) is a Linux distribution that boots from a USB flash drive and bypasses the computer's hard drive by default. All traffic is routed through Tor, and all traces are lost upon shutdown.

Tails 7.4, released on January 15, 2026, updated the kernel to Linux 6.12 LTS and switched to the Debian 13 package base. Tails 7.6 (March 26, 2026) replaced the KeePassXC password manager with GNOME Secrets (a simpler alternative) and added automatic Tor bridge selection for bypassing censorship.

How to use Tails: download the image, write it to a USB flash drive using a special utility (Etcher, Rufus), and boot from it. All your work happens in RAM, and when you turn off the computer, it is forgotten forever. You can save files to encrypted persistent storage on the same flash drive, but this is an option for advanced users.

The key feature of Tails is that even if your flash drive is seized, they won't be able to recover anything unless you leave behind the persistent storage and its password.

3.2. Whonix – Isolation via Two Virtual Machines​

Whonix consists of two virtual machines: Gateway and Workstation. All traffic from Workstation goes through Gateway, which uses Tor. If Workstation is hacked, the attacker won't know your real IP. And if your computer is seized, they'll only see two encrypted virtual machines with no intelligible content.

Setting up Whonix:

• Gateway: accesses the internet, runs Tor.
• Workstation: connected only to the internal network, with the Gateway as the only exit. This is where you work with your browser, documents, and crypto wallets.

When setting up VirtualBox, create two virtual machines from Whonix images. Configure the Gateway with a NAT network for internet access. Configure the Workstation with the "Internal Network" network adapter, manually specifying the network name for communication with the Gateway. The Workstation must not have direct internet access, only through the Gateway.

3.3. Qubes OS – Security through Isolation​

Qubes OS is the most advanced system for paranoid users. It's not just an OS, but a meta-OS, where every application runs in its own virtual machine. If you open a suspicious PDF in one VM, it won't infect your email or crypto wallet in another VM.

Qubes architecture:

• Dom0: the most secure VM, inaccessible from the outside. Used only for system management.
• AppVMs: virtual machines for common applications (browser, office, messenger).
• TemplateVMs: templates from which AppVMs are created. Changes to a TemplateVM apply to all AppVMs based on it.

Qubes 4.3.0, released on December 22, 2025, introduced a graphical interface for configuring device forwarding to virtual machines, a redesigned device widget, and new flat icons for GUI tools. Qubes runs on top of the Xen hypervisor, providing the highest level of isolation.

For our purposes, this principle is crucial: even if an attacker gains access to one AppVM, they won't be able to penetrate the others, much less Dom0.

Part 4. Cold-boot attacks and protection against them​

The most terrifying attacks for those relying on a powered-off computer are cold boot attacks. These exploit the persistence of data in DRAM chips after power is turned off, especially at low temperatures.

A typical attack involves the police seizing a working laptop, quickly powering it off, freezing the memory chips with an aerosol spray (to preserve the data longer), then booting from a flash drive and reading a RAM dump. From this dump, they extract disk encryption keys (for BitLocker, LUKS, VeraCrypt), passwords, and open documents.

How to protect yourself:

• Complete shutdown. The safest way to shut down your computer is to turn it off completely (shut down), rather than hibernate or sleep. Sleep mode doesn't turn off the computer, and encryption keys remain in memory.
• Clear RAM on shutdown. Some operating systems and BIOSes have an option to clear RAM on boot (Memory Clear / RAM Sanitization). Enable it.
• Hardware freeze protection. Some business laptops have sensors that block memory access if the temperature drops sharply.
• Using TPM. BitLocker with TPM will not provide the encryption key if the bootloader has been modified or if you are trying to boot from an external drive.
• Using operating systems that don't store keys in RAM. LUKS (Linux Unified Key Setup) allows encryption keys to be removed from memory after mounting the disk. Qubes OS suspends virtual machines and clears their memory before shutdown.

Part 5. Physical destruction of the carrier – the last line of defense​

If you want to guarantee data destruction, the only 100% way is to physically destroy the media.

5.1. SSD and HDD – different approaches​

For a hard drive (HDD), simply disassemble it and smash the magnetic disks with a hammer. Alternatively, use an industrial disk shredder (MediaGone 500), which reduces an HDD to shreds in seconds.

For SSDs, things are more complicated. Due to the design of NAND chips, data can be recovered even after shredding. Therefore, SSDs require specialized shredders, such as the FLASHPRO Solid-State Destroyer, which is designed for SSDs. Its mechanism crushes the memory chips with high force, ensuring complete physical destruction.

5.2. ATA Secure Erase​

If you need to destroy data on an SSD but preserve the drive itself, use the ATA Secure Erase command (not a software overwrite, but a command built into the drive's firmware). It applies increased voltage to all memory cells, instantly erasing them. The ATA Secure Erase command can be executed through the boot environment using utilities such as hdparm in Linux.

5.3. NVMe Secure Erase – Instant Key Destruction​

If your drive uses hardware encryption (NVMe with OPAL), the NVMe Secure Erase command doesn't overwrite all cells, but instantly destroys the encryption key. This makes the data completely unreadable, and the entire process takes only seconds.

Recommendation: Before throwing away or selling your old drive, use ATA/NVMe Secure Erase. It's fast, secure, and won't reduce the lifespan of your SSD.

5.4. Shredders and self-destructing drives​

Industrial shredders cut drives into tiny fragments (up to 6 mm), eliminating any possibility of recovery. Specialized shredders like the FLASHPRO Solid-State Destroyer crush memory chips with tremendous force, making data recovery virtually impossible.

Part 6. OPSEC Checklist: Bulletproof Protection​

• Full system disk encryption: VeraCrypt (with hidden volume option) or BitLocker + TPM + PIN.
• Anonymous OS for sensitive operations: Tails (from a flash drive), Whonix (for working with wallets) or Qubes OS (for maximum isolation).
• BIOS/UEFI settings: prohibit booting from external media, BIOS password, disable unnecessary ports (USB, Thunderbolt).
• Clear RAM on shutdown: Enable the option in BIOS, configure the OS to clear memory on boot.
• Temperature monitoring: Don't keep your laptop in the refrigerator after shutting down. This will only make a cold boot attack easier.
• Physical security: Use Kensington locks, do not leave your laptop unattended.
• When removing: If you have time, shut down the computer and remove the battery. If you don't have time, fill the laptop with water. Just kidding (not kidding).

Part 7: What the police can and can't recover​

This section is for those who want to understand the limits of forensics.

Device type	What can be restored?	What cannot be restored
HDD (without encryption)	Everything. Absolutely everything. Even after formatting.	Almost nothing
HDD (VeraCrypt/BitLocker encryption)	It's okay if the password is strong and you haven't forgotten it.	That's it, if the password is weak or it was recovered from RAM
SSD (no encryption)	A lot, but fragmented, due to wear leveling	Complete files often cannot be recovered.
SSD (encrypted + ATA Secure Erase)	Nothing	All
RAM (after shutdown)	Encryption keys, passwords, open documents (within 5-15 minutes after shutdown)	Everything, if more than 30 minutes have passed or the computer was not in the freezer
Tails (no persistent storage)	Nothing	All

Summary​

Forensic protection is a defense in depth. Full-disk encryption (VeraCrypt/BitLocker + TPM + PIN) ensures that your data cannot be read without a password. But remember: when the computer is on, the encryption keys are in RAM. So use Tails or Qubes, which don't store secrets on disk and clear memory when shutting down.

And never underestimate physical security. If the police catch your computer running, everything we've discussed will be meaningless.

A quick one-line reminder:
BitLocker with TPM and PIN is the basics. VeraCrypt with a hidden volume is for the paranoid. Tails is for leaving no trace. Qubes OS is to ensure that hacking one virtual machine doesn't result in the loss of all your data. Turn off the computer, remove the battery, and pray. But remember: perfect security doesn't exist. If you've exposed your face, the only thing that can help is money, a lawyer, and a ticket to a country without extradition".