Silk Road forums

Discussion => Security => Topic started by: meatwad on July 17, 2013, 02:47 pm

Title: What is CryptnetUrlCache?
Post by: meatwad on July 17, 2013, 02:47 pm
The directory is located in Windows 7 here:  C:\Users\(removed)\AppData\LocalLow\Microsoft\CryptnetUrlCache

It will not allow itself to be deleted and it has two directories in it labeled:  Metadata and Content.  All of the files in those two directories have file names like this: ACF244F1A10D4DBED0D88EBA0C43A9B5_A9C858C1E3D297A71D80B8E1560DA3B5
After doing a little research online it seems to be a record of all browsing and possibly a record of your computer usage.
I have already added that directory to my Ccleaner that runs every time my computer boots, although I not sure Windows will allow them be deleted that way or not.

Can anyone knowledgeable chime in here? 
Title: Re: What is CryptnetUrlCache?
Post by: Aussie bob on July 17, 2013, 03:05 pm
Cryptneturlcache is an encrypted copy of data pertaining to your browsing and download history. I don't know exactly what info it holds. Microsoft encryption has been voluntarily compromised, with the US national security apparatus able to decrypt at will :0
   Best to use Tails or liberte linux for SR and other risky online behaviour, if not doing so already. Also, discarding Windows entirely, wiping your drive, and installing Ubuntu or something similar wouldn't be a bad idea. Windows XP works pretty well within Virtual Box in Ubuntu for when you want to use Windows for something. However, if you don't want to do that there are command lines that, supposedly, clear the cache. If you want them I should probably be able to find them :) AB.
Title: Re: What is CryptnetUrlCache?
Post by: meatwad on July 17, 2013, 03:30 pm
So Windows does keep an encrypted copy of everything I have browsed and downloaded?  WOW!  What if I am using a third-party browser?  Will it still be able to save my browsing history? 
Title: Re: What is CryptnetUrlCache?
Post by: Aussie bob on July 17, 2013, 03:54 pm
   Sorry I can't give a more technical answer, but from what I understand it doesn't matter what browser you use if it is not encrypting all connections. Even then, I believe, private browsing on Chrome or Firefox etc, visiting only https sites, still leaks data that is stored in a number of locations in Windows.
    I'm not sure what, if any, data can be unintentionally leaked to Windows when using Tor browser safely (sticking to hidden sites, not downloading any files) but I wouldn't be surprised if it's a bit...
Title: Re: What is CryptnetUrlCache?
Post by: meatwad on July 17, 2013, 06:19 pm
Maybe astor or kmfkewm or anyone else know anything about this?
Title: Re: What is CryptnetUrlCache?
Post by: astor on July 17, 2013, 06:28 pm
Sorry, I don't know anything about that specifically, but it's safe to say that there are traces of your activities (browsing as well as non-browsing) all over your computer in various caches and files. Take a look at what the browser bundle leaves behind on Windows, and it's designed to leave as little evidence as possible:

http://dkn255hz262ypmii.onion/index.php?topic=148291.msg1152452#msg1152452

Most other apps will leave behind a lot more. The best way to avoid leaving evidence is to use a bootable OS like Tails, or you can hide the evidence by fully encrypting your hard drive, but you never know what Windows might transmit back to Microsoft.

Title: Re: What is CryptnetUrlCache?
Post by: meatwad on July 17, 2013, 07:42 pm
What about running your clearnet and Tor browser in a sandbox like Sandboxie?  Would that prevent anything from being written to this cache?
Title: Re: What is CryptnetUrlCache?
Post by: Aussie bob on July 17, 2013, 08:06 pm
I don't know that particular program, but if you try to run tails in a virtual environment on your OS, even a linux one, it warns you that your activity is no longer amnesiac, your activity is recorded on the hard drive and within the logs of the virtualiser. I'd assume that your activity is probably even more comprehensively recorded if using something less secure than tails.
Title: Re: What is CryptnetUrlCache?
Post by: astor on July 17, 2013, 08:14 pm
This is the problem with running any proprietary software, especially from a company that actively works with LE to backdoor its programs (Skype) and provides forensics tools like this:

https://en.wikipedia.org/wiki/COFEE
Title: Re: What is CryptnetUrlCache?
Post by: tbart on July 17, 2013, 09:55 pm
okay, admittedly i'm the fred flintstone of this stuff, but i may have  been doing something that was right for reasons i wasn't aware of. For the past 3 years, i've been cloning my harddrive, cloned it when i first started using a windows 7 desktop, and then as data changed in particlular programs (ie email, or quickbooks, document files, i'd do a backup on those files into the appropriate directory on the cloned hard drive. Then once a year, around christmas, i clone the backup hard drive to my desktop (someone that sounded like he knew what he was talking about had told me to once a year to do a complete reformat of my computer and re-install every program - this way seemed easier.

one downfall, is when i do that, windows has a ton of updates to download but i'm thinking now to maybe do that more often. wouldn't that erase that cache file with a virgin file?
Title: Re: What is CryptnetUrlCache?
Post by: astor on July 17, 2013, 10:11 pm
one downfall, is when i do that, windows has a ton of updates to download but i'm thinking now to maybe do that more often. wouldn't that erase that cache file with a virgin file?

It would replace it with the old cache file, although if the old one is simply deleted, it could probably be recovered with simple forensics tools. I've been able to recover deleted files with this:

http://www.cgsecurity.org/wiki/PhotoRec

Despite the name, it recovers many types of files. Of course LE would have better forensics tools than that.

A more thorough way of doing what you are doing is to overwrite the entire hard drive with a tool like DBAN and then clone the backup onto the hard drive.
Title: Re: What is CryptnetUrlCache?
Post by: Aussie bob on July 17, 2013, 10:19 pm
one downfall, is when i do that, windows has a ton of updates to download but i'm thinking now to maybe do that more often. wouldn't that erase that cache file with a virgin file?

It would replace it with the old cache file, although if the old one is simply deleted, it could probably be recovered with simple forensics tools. I've been able to recover deleted files with this:

http://www.cgsecurity.org/wiki/PhotoRec

Despite the name, it recovers many types of files. Of course LE would have better forensics tools than that.

A more thorough way of doing what you are doing is to overwrite the entire hard drive with a tool like DBAN and then clone the backup onto the hard drive.

   That's totally what I was thinking. I can't give you specifics, but I think it's wise to assume Windows takes and stores, permanently, some trace of everything you ever do with it. It is crazy how much info you can retrieve using freeware data recovery tools. As Astor said, leo have at their disposal great technical prowess and a significant technological advantage. Windows is a threat, AB.
Title: Re: What is CryptnetUrlCache?
Post by: tbart on July 18, 2013, 12:58 am
one downfall, is when i do that, windows has a ton of updates to download but i'm thinking now to maybe do that more often. wouldn't that erase that cache file with a virgin file?

It would replace it with the old cache file, although if the old one is simply deleted, it could probably be recovered with simple forensics tools. I've been able to recover deleted files with this:

http://www.cgsecurity.org/wiki/PhotoRec

Despite the name, it recovers many types of files. Of course LE would have better forensics tools than that.

A more thorough way of doing what you are doing is to overwrite the entire hard drive with a tool like DBAN and then clone the backup onto the hard drive.

i do format the desktop's hard drive before cloning the backup HD onto it, but didn't know about DBAN - but as far as replacing it the old cache file, the backup drive was a clone of the desktop from the day it was new and i'd removed all programs i didn't need and installed the ones i use - quickbooks, UPS, and microsoft outlook 2007.

thanks for the DBAN tip