How do I review a possibly physically accessed device

General device

From @Evacide

If you want to help victims of intimate partner abuse that are worried that their devices have been compromised, this USENIX paper by Sam Havron is an excellent resource: https://www.usenix.org/system/files/sec19-havron.pdf

Below assumes Windows OS

Ask: Could you create a guide to clean up if someone has had unauthorized physical access to your computer?

The below assumes a Windows Operating System (OS).

It also assumes the one with physical access is limitedly technical, as is the owner of the computer.

My Answer: What I would do if possible

• Wipe (reinstall to from the start / out of the box / from scratch) the machine and reinstall from backup from before access occurred.
  • I understand this is less likely for less technical persons and may not be possible as they may not have backups or know how.
  • Don't have backups? Start using one after cleaning (if you can afford to)! I use Carbonite but any company will do. (Apple time machine for example.)
• Download on a clean computer a malware/adware scanner to a USB stick and run on the compromised computer.
  • Downloading /installing scanner on the compromised computer may not work if it is compromised.
• Change your password manager master password.
  • Not using a password manager? I recommend using one. I use LastPass.
• Make sure you are using 2-factor authentication (2FA) / Multi-Factor Authentication (MFA) where ever possible.
  • https://twofactorauth.org/
• Change the administrator password on the machine and make sure to disable guest login.
• Review the installed software/programs, specifically for recent additions and remove any unknowns.
• Purchase and install a firewall, crank it up to 100% blocked and permit items through one at a time for a period of time looking for suspicious activity. then put it back to medium or less paranoid level.s
• Check the web history in all browsers installed. The web history will tell you where they've been if they didn't clear it.
• Check the downloads folder. They may not have cleared the history of items downloaded or the actual downloaded files.
• Go into the file browser and list all files by date, that will give you an idea of files last changed/created as well. (Just remember some of those may be your own alterations).
• Review all browsers for add-ons/plugins and uninstall anything not recognized.