How do I review a possibly physically accessed device
General device
From @Evacide
If you want to help victims of intimate partner abuse that are worried that their devices have been compromised, this USENIX paper by Sam Havron is an excellent resource: https://www.usenix.org/system/files/sec19-havron.pdf
Below assumes Windows OS
Ask: Could you create a guide to clean up if someone has had unauthorized physical access to your computer?
The below assumes a Windows Operating System (OS).
It also assumes the one with physical access is limitedly technical, as is the owner of the computer.
My Answer: What I would do if possible
- Wipe (reinstall to from the start / out of the box / from scratch) the machine and reinstall from backup from before access occurred.
- I understand this is less likely for less technical persons and may not be possible as they may not have backups or know how.
- Don't have backups? Start using one after cleaning (if you can afford to)! I use Carbonite but any company will do. (Apple time machine for example.)
- Download on a clean computer a malware/adware scanner to a USB stick and run on the compromised computer.
- Downloading /installing scanner on the compromised computer may not work if it is compromised.
- Change your password manager master password.
- Not using a password manager? I recommend using one. I use LastPass.
- Make sure you are using 2-factor authentication (2FA) / Multi-Factor Authentication (MFA) where ever possible.
- Change the administrator password on the machine and make sure to disable guest login.
- Review the installed software/programs, specifically for recent additions and remove any unknowns.
- Purchase and install a firewall, crank it up to 100% blocked and permit items through one at a time for a period of time looking for suspicious activity. then put it back to medium or less paranoid level.s
- Check the web history in all browsers installed. The web history will tell you where they've been if they didn't clear it.
- Check the downloads folder. They may not have cleared the history of items downloaded or the actual downloaded files.
- Go into the file browser and list all files by date, that will give you an idea of files last changed/created as well. (Just remember some of those may be your own alterations).
- Review all browsers for add-ons/plugins and uninstall anything not recognized.